This week as uncovered two more breaches of the Data Protection Actafter action was taken by the Information commissioner and the Serious and Organised Crime Agency (SOCA) against individuals who used social engineering for profit.
The more criminal of the two cases involved “private detectives” blagging confidential information for their clients to use.
SOCA defines blagging as “Blagging is the art of bypassing security measures through skilled persuasion and impersonating someone else”
SOCA said of the case
SOCA’s focus during the investigation was criminal conspiracy. However in recognition of the fact that the operation might also uncover information relevant to other authorities, SOCA worked in partnership with a number of bodies including the Information Commissioner’s Office. SOCA will now hand over any such information to its partners to determine whether further action is appropriate
The Information Commissioner said:
“The scourge of data theft continues to threaten the privacy rights of the UK population. Whilst we welcome today’s sentencing of the private investigator, Graham Freeman, and his three accomplices, the outcome of the case underlines the need for a comprehensive approach to deterring information theft. If SOCA had been restricted to pursuing this case solely using their powers under the Data Protection Act then these individuals would have been faced with a small fine and would have been able to continue their activities the very next day. This is not good enough.
“Unscrupulous individuals will continue to try and obtain peoples’ information through deception until there are strong punishments to fit the crime. We must not delay in getting a custodial sentence in place for section 55 offences under the Data Protection Act.”
In the second example a letting agent tried to obtain details about a tenant’s finances from the Department for Work and Pensions (DWP) was found guilty of an attempt to commit an offence under section 55 of the Data Protection Act and the Criminal Attempts Act.
Pinchas Braun, of Tottenham, was fined £200 and ordered to pay a £15 victim surcharge and £728.60 prosecution costs by Highbury Magistrates.
The ICO’s investigating officers identified the caller as Pinchas Braun. Further enquiries found that Braun worked for a property management and rental business called Manor West Estates and that he was responsible for rent collection. The DWP account that Mr Braun had targeted belonged to one of his employer’s tenants.
Information Commissioner, Christopher Graham, said:
“The Department for Work and Pensions hold important information about each and every one of us. We are very pleased that a DWP staff member was alert to this attempt to blag information and that the call was halted before it was too late.
“The motive behind Mr Braun’s action was financial. He knew that such an underhand method of obtaining the tenant’s personal information was illegal but carried on regardless.
“This case shows that unscrupulous individuals will continue to try and blag peoples’ details until a more appropriate range of deterrent punishments is available to the courts. There must be no further delay in introducing tougher powers to enforce the Data Protection Act beyond the current ‘fine only’ regime,” Mr Graham said.
“The contrast is striking in the penalties available for blagging under the Fraud Act on the one hand and under the Data Protection Act on the other. On the same day, prison sentences were handed down in one court with chicken feed fines being imposed in another – all for the same activity”
Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a financial penalty of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. This also applies to attempts under the Criminal Attempts Act. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.
Both examples show how important it is for all organisation to be aware of the threat to their customers from “blagging” or “social engineering” for example in the Braun case above he was unsuccessful because he didn’t know the middle name of the victim.