It’s still happening…

http://news.cityoflondon.police.uk/r/894/five_people_sentenced_for_leaking_customer_data

… with links to two other cases.

Yes, but isn’t your thread title a bit of a misnomer? It’s not the companies doing it.

Would you like to suggest an improvement? It’s their data, and they aren’t looking after it is my viewpoint.

It’s their data, and they aren’t looking after it is my viewpoint.

What do you think they should be doing to prevent this?

It’s not clear what this “data” actually was, but SOG is absolutely right. Employees shouldn’t have access to confidential data, and there are ways and means to protect this.

As an example, one of our customers takes credit card payments over the phone. Their customer keys in their details, and there’s a tamper-proof dongle on the phone which filters out the DTMF tones so the employee can’t hear / record them.

Duty of Care probably covers it, I believe.

As an example, one of our customers takes credit card payments over the phone. Their customer keys in their details, and there’s a tamper-proof dongle on the phone which filters out the DTMF tones so the employee can’t hear / record them.

Of course that’s for PCI-DSS compliance, not DPA compliance, but yeah, kinda.

Which is a perfectly good example

But how do you stop insurance company employees knowing information about a claim or incident. That’s simply impossible to stop, otherwise they wouldn’t be able to do their job.

Realistically the only way to guarantee it would be

Banning phones or cameras from the office
Ban printing of anything
Carry out strip searches at the end of everyone’s shift to ensure they’re not sneaking out document, handwritten notes etc
Don’t employ anyone with a photographic memory

For the incident in the case in the OP, it’s simply a case of knowing the name and telephone number of a customer that was involved in a crash, and passing that to some external party. Virtually impossible to stop.

It’s not clear what this “data” actually was

I presume that it was the names, addresses and telephone number/email address of policyholders who had been involved in a non-fault accident. As I understand it the claims management companies to whom that illegally obtained data is sold will then contact the person to try to get them to make a claim for other (sometimes fake) losses, e.g. injury such as whiplash and car hire, against the at fault driver and their insurer.

The problem with keeping that sort of data confidential from the employees handling it, is that the employees need it to be able to deal with the claim.

As I see it, the investigation and convictions are signs that the system is working: it’s a criminal offence, and despite police reportedly often being unwilling/inadequately resourced to investigate these types of crimes, they did so and achieved convictions. Those convictions will help to deter others: the sentences were not severe, but it is the fear of being caught that deters, rather than the potential sentence.

BoardinBob – Member
Realistically the only way to guarantee it would be

Banning phones or cameras from the office
Ban printing of anything
Carry out strip searches at the end of everyone’s shift to ensure they’re not sneaking out document, handwritten notes etc
Don’t employ anyone with a photographic memory

For the incident in the case in the OP, it’s simply a case of knowing the name and telephone number of a customer that was involved in a crash, and passing that to some external party. Virtually impossible to stop.

I know for a fact that that particular insurer has had at least the first two precautions in place – phones etc banned for the last few years, and a ban on printing (or use of paper whatsoever) was banned last year.

There’s obvious legality issues concerning searches, and they want to make their work environments a reasonable place to work for clerical/professional people, so that’s not going to happen.

The fact of the matter is many of us have access to confidential data all the time at our job. We don’t look to sell it off and profit from it.

The wrongdoing was not the insurer, who IMO took reasonable steps to guard against the risk, but that of the employees. Therefore it wasn’t an “insurance co data scam” but “insurance co employee data theft”.

There, that wasn’t so hard, was it?

The folk that work in on this in my firm don’t even have paper or pens. No phones ect no junk/toys at the desks etc I did here they had all the usb slots on the PCs glued up too. And that’s not in banking or finance

I thought it was interesting that the people being bribed got harsher sentences than the ones that were approached, it would certainly put me off, especially as they only earned £7k off it.

It’s made it not worth it, I think they’re doing a decent enough job deterring potential leakers.

Ok, the linky above has two further links. From the first of these…

‘Aviva’s investigation manager identified that 2.5 percent of the recovered data that IFED had asked them to analyse was their own’

… that’s from a recovered HD. I wonder where the rest of the data came from, if it was also scammed. And if it wasn’t, why would anyone mention it?

It’s not “scammed” it’s stolen.

Is there a legitimate way claims management companies get data from insurers?

I ask as I have been bombarded with calls (sometimes up to 4 a day) following a damage only accident I had in March 2016. The callers know the details of the accident.

Just wondering how they got my mobile no etc?

My understanding is that the insurers do sell the data themselves or they certainly used to – I’ve thankfully escaped from the murky world of motor claims.

I’m currently amused by the fact that they have sold information about a breakdown on. My breakdown cover is via my insurance and since I had a couple of breakdowns recently I’ve been plagued by calls (from people who know my name/mobile number) asking about my recent accident. Yes, the insurers sent a recovery truck out, but there was no accident involved. And due to the fact that no-one else was involved it’s pretty easy to work out where the data came from…

Totally misleading thread title indeed.

I have this naive idea that companies don’t evade responsibility for the actions of their employees.

It would be nice to hear that the Ins Cos are following the data path, and taking action against those who make use of that illegally-held data. Also that they are in contact with all those people innocently affected.

What do you think they should be doing to prevent this?

Not my problem, unless it’s my data. Tske responsibility yourselves.

It would be nice to hear that the Ins Cos are following the data path, and taking action against those who make use of that illegally-held data.

Did you actually read the report in the link from the OP?

slowoldgit – Member
I have this naive idea that companies don’t evade responsibility for the actions of their employees.

It would be nice to hear that the Ins Cos are following the data path, and taking action against those who make use of that illegally-held data. Also that they are in contact with all those people innocently affected.

Where does it suggest anywhere that the company is trying to do that? As I mentioned above, I have worked directly with the company mentioned and they are extremely strict about compliance with data protection obligations.

Precisely what action do you think the company (as opposed to the police) should take? Those people will already been fired. What else can they do? They will have co-operated with the police as well.

Seems to me a non-rant based on a lack of understanding about what an employer can and cannot do.

Insurance companies are guilty of many things, but in this case I can’t see what they have done wrong…

slowoldgit – Member
Not my problem, unless it’s my data. Tske responsibility yourselves.

So you’re criticising them for not doing something, but you won’t say what it is they should or shouldn’t have done, because it’s not your problem?

Epic rant fail IMO! 😀

That report said the Nawaz brothers were selling on the data. So is anyone other than me asking who they were selling it to?

slowoldgit – Member
That report said the Nawaz brothers were selling on the data. So is anyone other than me asking who they were selling it to?

From the link you posted:

Sajaad Nawaz and Shaiad Nawaz approached Kayleigh Underhill, Andrew Clarke and Reace Bowen who all worked at Allianz Insurance and persuaded them to hand over information regarding Allianz Insurance customers who been involved in collisions- the information was then sent by the brothers to claims management companies.

😀

You don’t appear to have read your own link you posted to have a moan about!

I’m currently amused by the fact that they have sold information about a breakdown on. My breakdown cover is via my insurance and since I had a couple of breakdowns recently I’ve been plagued by calls (from people who know my name/mobile number) asking about my recent accident. Yes, the insurers sent a recovery truck out, but there was no accident involved. And due to the fact that no-one else was involved it’s pretty easy to work out where the data came from…

Erm. Yes it is. The truck? Mention it to any friends?

Realistically the only way to guarantee it would be

Banning phones or cameras from the office
Ban printing of anything
Carry out strip searches at the end of everyone’s shift to ensure they’re not sneaking out document, handwritten notes etc
Place I worked up until last year was level one GC/PCI compliant, no phones or any electronic equipment or cameras were allowed into the area I worked in, no coats, bags or jackets were allowed in either, and anyone could be asked to turn out their pockets at any time, plus there were two cameras in one room I worked in, eight in another.
A temp was caught sneaking cash from envelopes into her pockets and the police were called straight away.
Of course it would have been possible to bring in a thumbnail-sized 64Gb flashdrive and put it into a USB port on one of the computers, and download a shitload of client data, but it wouldn’t have been easy with the cameras watching everything. Computers had to be locked the moment you left your desk, as well, despite everyone working from the same databases, it was more for temps not being able to see anything important on screen.

I’d like to know why the Financial Ombudsman wasn’t interested when I made a written complaint that staff at Aviva insurance company had passed on my personal information following a car accident resulting in being bombarded by daily calls.

Would also like to know why the CEO’s office of Aviva failed to take my complaint seriously yet a month later the BBC were reporting that some Aviva employees had been caught selling personal information.

Aviva is the last company I’d use for any insurance. I would also speculate that the Financial Ombudsman can turn a blind eye, if it’s worth their while to do so.

A murky industry indeed.

Of course it would have been possible to bring in a thumbnail-sized 64Gb flashdrive and put it into a USB port on one of the computers

I would have hoped not, disabling USB ports or running end-point protection software so that only pre-authorised USB sticks can be used is pretty trivial these days

cinnamon_girl – Member
I’d like to know why the Financial Ombudsman wasn’t interested when I made a written complaint that staff at Aviva insurance company had passed on my personal information following a car accident resulting in being bombarded by daily calls.

Would also like to know why the CEO’s office of Aviva failed to take my complaint seriously yet a month later the BBC were reporting that some Aviva employees had been caught selling personal information.

Aviva is the last company I’d use for any insurance. I would also speculate that the Financial Ombudsman can turn a blind eye, if it’s worth their while to do so.

A murky industry indeed.

Probably because the FOS wouldn’t have jurisdiction to deal with a complaint concerning misuse of personal data – the correct person to complain to is the Information Commissioner…

As to your slur about the FOS (which is pretty outrageous) in my (considerable) experience in dealing with them, they are hugely consumer focused and will often use their statutory power to consider what is “fair and reasonable” to reach a conclusion in favour of the consumer even though it is not capable of being legally substantiated (i.e. the law does not support that conclusion).

The fact that your complaint was not upheld means either it didn’t fall within the jurisdiction of the FOS to entertain (eg it related to matters more properly dealt with by the ICO) or it simply had no credence.

FuzzyWuzzy – Member
I would have hoped not, disabling USB ports or running end-point protection software so that only pre-authorised USB sticks can be used is pretty trivial these days

I worked for a supplier to insurance companies – we did a considerable amount of other work as well – and we had to have all of our write privileges suspended on all work computers. Perhaps 10 years ago you might have been able to do it, but not these days. The GDPR will impose even tighter restrictions on the misuse of personal data as well.

Jakester – firstly it is not a slur, I stated that I was speculating. Of course my post was a brief snapshot of events, I did speak with the Information Commissioner Office’s several times and in fact was given conflicting advice on each occasion.

The FO was given plenty of information but my overriding impression was that they weren’t interested. I realise that Ombudsman organisations are overworked and short staffed and obviously are unable to investigate every single concern that’s brought to their attention. Nevertheless I am left with the impression that all the organisations with whom I had contact with were making the right noises but actually did naff all.

That:

all the organisations with whom I had contact with were making the right noises but actually did naff all

Is a bit different to that:

the Financial Ombudsman can turn a blind eye, if it’s worth their while to do so

The implication in the latter statement is that some form of bribery or collusion has taken place. Somewhat different from being underresourced.

Unlikely they “weren’t interested” – probably more that your complaint wasn’t one that fell within their jurisdiction. If you are an eligible complainant, and have acquired the right to refer a dispute to the FOS, and it is a complaint that falls within their jurisdiction, there are only limited grounds under which they can refuse to deal with it (see R3.3.4):

https://www.handbook.fca.org.uk/handbook/DISP/3/3.html

the information was then sent by the brothers to claims management companies.

And is anyone following that trail?

Have the Insurance Cos contacted the innocent victims?

No, I’m sure the police won’t be doing anything. Nothing at all. Nosiree.

Why would they update the public about an ongoing investigation. Here’s an idea? If you’re that bothered by it (and it seems you really are) why not call Action Fraud/COLP and ask what’s going on?

If I were you, I’d head down to your local garden centre, because it sounds like that axe you’re grinding has nearly worn down.

I just looked on abi.org to see if they said anything in their news section about the guilty verdicts. They are free to mention those…

I’ll leave others to check, for I might have missed something. I’m careful around axes, might have been distracted.

Did an insurance company kick sand in your face or nick your girlfriend when you were a kid? 😀