T-Mobile staff in the UK allegedly sold customer data to brokers, who in turn sold it to competing phone firms. These firms then started calling customers, whose contracts with T-Mobile were about to expire, trying to get them to switch.
The number of customer records sold apparently is in the millions. The whole thing came to the surface when T-Mobile report suspicious activity in customer data to Information Commission. They started investigating and apparently found evidence to support the report. Selling customer data without their consent is illegal in the UK under the Data Protection Act.
Insider threats are big problem for organizations. When people who are expected to handle large amounts of data steal them, it can be very difficult to catch. And if the organization is very large, as in the case of T-Mobile, it can be a lot more difficult. This is because there are a lot more employees that might have access to data. Monitoring each and every one of them can be a huge problem.
While there are products (I refrain from using the “solutions” deliberately) that can restrict access to data and send out alerts when anomalous patterns of data access emerge, these kind of situations cannot be dealt with by the companies alone. Consumers also have to be aware of and be responsible for the safety of their information and identities.
According to people who know, the penalties for such illegal sales are too low to deter malicious persons from engaging in them. So, legislation has to be strengthened to provide teeth to law enforcement.
T-Mobile staff sold customer data