A major High Street and online gambling company is alleged to have suffered the theft of millions of customer records, yet is just one of 100 organisations to have reported data breaches to the ICO in the last two months. A file of 3.5 million Ladbroke’s customer records is claimed to have been offered for sale to the Mail on Sunday, which notified the ICO. It in turn told the company about the data security breach and is investigating further.
David Smith, Deputy Commissioner, says: “We are particularly concerned that up to 3.5 million customer records containing personal information are allegedly for sale. Stealing personal data and selling it is a criminal offence. We will investigate whether an offence has been committed. We are determined to stamp out the unlawful trade in personal information and have recently urged the government to introduce a custodial sentence for people convicted of buying and selling personal details.”
The breach adds fuel to calls for new powers to be granted to the Information Commissioner. Parliament is currently considering amendments to the Coroners and Justice Bill which, if passed, would see tougher sanctions of up to £500,000 imposed on organisations who breach the Data Protection Act. The powers are expected to be granted as of 6th April.
While 100 organisations have voluntarily reported a data security breach to the ICO, bringing the total to 818 since November 2007, Smith warns against trying to conceal problems.
“We are keen to work with organisations to prevent breaches occurring in the first place and to help put things right when things do go wrong. Talking to us may, of course, result in regulatory action. However, organisations must act responsibly – those that try to cover up breaches which we subsequently become aware of are likely to face tougher regulatory sanctions,” he says.