Summary
Two men, Christopher Munro (37) and William Chipoma (35), have been convicted for stealing and selling personal data linked to hundreds of garages, following an Information Commissioner’s Office (ICO) investigation into unlawful data trading connected to nuisance calls. Sentenced at Minshull Street Crown Court on February 11, they admitted offenses under the Computer Misuse Act 1990 and Section 55 of the Data Protection Act 1998.
Key outcomes
- Munro: 32-week sentence, suspended for 12 months; 150 hours of unpaid work.
- Chipoma: 10-month sentence, suspended for 12 months; 240 hours of unpaid work.
- Scope: Data taken from around 400 garages; investigation has produced 10 prosecutions and 3 cautions to date.
How the offending worked
- Insider access was central: both men sought jobs giving access to customer records, then extracted and sold data.
- Munro accessed thousands of records at two companies (2015–2016), receiving about £16,000.
- Chipoma accessed and sold data over 2015–2017, receiving about £70,550.
- Munro repeatedly applied for roles in claims management/insurance, leaving quickly if he could not reach target data; Chipoma followed a similar pattern.
Charges and legal context
- Each defendant: two counts under the Computer Misuse Act 1990 (unauthorized access to computer material) and two counts under Section 55 of the Data Protection Act 1998 (unlawfully obtaining/disclosing personal data).
- Conduct occurred before the UK’s 2018 data protection regime updates.
Why it matters
- The ICO links the scheme to nuisance call activity, where unlawfully harvested data (e.g., potential insurance or repair leads) is sold for marketing and lead generation.
- The sums paid illustrate the commercial value of illegally obtained personal data within the claims management sector.
Court and investigation notes
- Suspended sentences mean no immediate imprisonment if conditions are met during the suspension period.
- The ICO did not name the companies involved or specify data types, but reported that “thousands” of records were accessed without authority.
- This case is part of the ICO’s largest nuisance call investigation; further details on any remaining inquiries were not provided.
Takeaways for organizations
- Strengthen internal controls to prevent unauthorized staff or contractor access (e.g., least-privilege access, monitoring, and prompt offboarding).
- Train employees on data protection obligations and insider threat awareness.
- Audit access to customer records and implement alerts for anomalous access patterns.
