Out-Law / Your Daily Need-To-Know

Man fined after selling unlawfully obtained personal data of online bingo players

Out-Law News | 14 Nov 2011 | 12:51 pm | 3 min. read

A man who made approximately £25,000 from selling unlawfully obtained personal data has been issued with a £1,700 fine and conditional discharge by a UK court.

Information Commissioner Christopher Graham has reiterated his demand that the Government activate powers for courts to jail those who exploit stolen data.

Graham said that punishment needs to fit the crime and called for the Government to "activate" laws "that would allow courts to consider other penalties like community service orders or the threat of prison".

Under the Criminal Justice and Immigration Act, the Secretary of State has the power to introduce new regulations that would allow a prison sentence to be available where a person unlawfully obtains personal data. This power has not yet been brought into force.

Individuals face fines of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court, for offences relating to the unlawful use of personal data.

"The Information Commissioner's Office (ICO) continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information," the ICO said in a statement.

Graham made his comments in a statement containing details about the sentencing of a former gambling industry worker for three offences under the Data Protection Act.

Marc Ben-Ezra sold on details of tens of thousands of bingo players, compromising their privacy and exposing them to nuisance marketing, the ICO said. He pled guilty to three offences under the Data Protection Act for selling more than 65,000 Foxy Bingo online customers' data to a company investigating his activity, the watchdog said.

Hendon Magistrates Court handed Ben-Ezra a three year conditional discharge and ordered him to pay £1,700 to Cashcade Limited, the marketing company that controlled Foxy Bingo's customer database, and £830.80 in costs, the ICO said.

"This case shows that the unlawful trade in personal information is unfortunately still a thriving and lucrative activity," Information Commissioner, Christopher Graham, said in a statement.

"Ben-Ezra sold people’s personal details on an industrial scale, making in the region of £25,000 at the expense of the tens of thousands of bingo players whose privacy he compromised, and who he exposed to the nuisance of being approached by rival betting websites and, at worst, the risk of identity theft," Graham said.

Under the Data Protection Act a person is generally guilty of an offence if they "knowingly or recklessly ... obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data" without consent from the 'data controller'.

Under the Act a person who sells or offers to sell unlawfully obtained personal data is also guilty of an offence.

Cashcade thinks that the Foxy Bingo data set, containing customers' names, addresses, email addresses, telephone numbers and usernames, was unlawfully obtained and sold to Ben-Ezra in 2008. Ben-Ezra was working for an Israeli poker company at the time, the ICO said.

In May Ben-Ezra sent emails under a fake name to gambling industry contacts offering to sell personal data. The emails contained details of about 400 Foxy Bingo customers, prompting Cashcade to employ an "investigative services company" to carry out a "test purchase" of the information being sold, the ICO said.

The company paid £1,700 to Ben-Ezra for sending the Foxy Bingo data, as well as data relating to 404 Gala Coral customers. Gala Coral also believe their data was unlawfully obtained, the ICO said.

Cashcade passed the test purchase data to the ICO which investigated the matter and traced Ben-Ezra's email address back to a home address for his father in law. Ben-Ezra admitted the data protection offences during interview and passed over the laptops containing the data sets. He had claimed buying and selling customer data was "widespread" in Israel's gambling industry and that he had sold the information to pay off gambling debts, the ICO said.

The ICO said Cashcade had "co-operated fully" with its investigations and "assured" it that no Foxy Bingo customers' accounts had been "compromised" as a result of the data loss. The watchdog also reported that it had received no complaints from the customers on either the Foxy Bingo or Gala Coral lists.

"Attempts by Cashcade to identify the perpetrators of the 2008 breach have so far been unsuccessful but remedial action to prevent a recurrence has been taken. The company is continuing to pursue the other perpetrators," the ICO said.

"Foxy Bingo and Gala Bingo have proactively contacted affected customers to assure them that their account information is secure," it said.