14 DAY TRIAL // An individual who accessed without authorization the database of EE, a mobile network operator in the UK, and stole details of 1,066 customers received only a small fine of ₤500 / €635 / $793 in Calderdale Magistrates’ Court on Tuesday.
Identified as 25-year-old Matthew Devlin, the perpetrator is the director of three marketing and telecoms companies and used the illegally obtained information to push the services of his firm to the customers of EE. His action would come when the customers’ mobile phone upgrade was due.
A fine this small is far from being a deterrent
The Information Commissioner’s Office in the UK informs that Devlin was given two extra financial penalties, one of £438 / €556 / $693 for costs and a £50 / €55 / $69 victim surcharge.
This sort of punishment is no deterrent for individuals trying to get private information through illegal means, especially since there is no jail time threat in the Magistrates’ Court.
“Our personal details are worth serious money to rogue operators. If we don't want people to steal our personal details or buy and sell them as they like, then we need to show them how serious we are taking this. And that means the prospect of prison for the most serious cases,” says Christopher Graham, Information Commissioner.
The access to the customer database was achieved through social engineering, by calling EE’ distributors and pretending to be a member of the security team from Orange. Thus, Devlin managed to learn the credentials necessary for unlocking access to the customer data.
Stronger punishment means a greater financial penalty
ICO Head of Enforcement Stephen Eckersley notes that EE informed the office of the breach, and thanks to the security measures on their systems, ICO was able to identify Devlin.
As per the Data Protection Act, getting personal information through illicit actions is a criminal offense. However, there is no prison punishment in these cases, and the offenders can only be fined; the penalty can go as high as ₤5,000 / €6,350 / $7,900.
Data breaches are a serious thing, especially when personally identifiable information is involved. This type of details can easily allow cybercriminals to steal identities and obtain credit in the name of the victim.
When problems with payment occur, the victim is the one taking all the heat until the fraud is acknowledged.
It appears that in this case at fault were the employees of the mobile phone distributors, who revealed sensitive information over the phone. Stronger policies regarding confidential information, and respecting them, would have prevented this incident.