ICO secures Proceeds-of-Crime confiscation from former RAC employees who sold ~30,000 customer records
From CTI Daily Brief — 2026-06-08 · published 2026-06-08 · view item permalink →
The UK Information Commissioner's Office, in an enforcement-action notice surfaced in early June (page last updated 5 June), recorded Proceeds of Crime Act confiscation orders totalling £118,852.32 against two former RAC contact-centre employees: Maliha Islam, ordered to pay £33,125.00 at a hearing in November 2025, and Debbie Okparavero, ordered to pay £85,727.32 at a hearing held on 29 May 2026 (ICO). The pair were convicted in October 2024 of conspiracy under the Computer Misuse Act 1990 and Data Protection Act 2018 for unlawfully copying and selling roughly 30,000 lines of customer personal data (used to fuel nuisance-claims calls); the original sentences were suspended, and the POCA hearings quantified and ordered repayment of the financial benefit. The ICO explicitly framed the action as using "the full range of its enforcement powers" — criminal asset recovery, not just civil penalty.
Defender takeaway: insider exfiltration is a low-volume, high-trust threat that DLP and access reviews catch, not perimeter controls. The case is a reminder to scope contact-centre / CRM data on a need-to-know basis, monitor privileged-user query and bulk-export patterns, and retain audit trails long enough to support prosecution — the benefit calculation here rested on demonstrable records of the theft years after the fact. For Swiss/EU practitioners, it is a useful GDPR-comparable benchmark for how a peer regulator escalates against insider data theft.