ICO prosecution results in a first-ever prison sentence

In a prosecution under the Computer Misuse Act, a motor industry employee who had unlawfully accessed thousands of customer records has been sentenced to six months in prison.

Mustafa Kasim, who worked for accident repair firm Nationwide Accident Repair Services (NARS), accessed the personal data using his colleagues’ log-in details to access a software system that estimates the cost of vehicle repairs, known as Audatex. He continued to do this after he started a new job at a different car repair organisation which used the same software system, the ICO says.

The ICO decided to prosecute under s.1 of the Computer Misuse Act 1990 to reflect the nature and extent of the offence, and to give the sentencing Court a wider range of penalties. S 1 of the Computer Misuse Act 1990 refers to causing a computer to perform a function with intent to secure access to any programme or data held on that computer. It carries a custodial sentence of up to two years.

Mike Shaw, Group Manager Criminal Investigations Team at the ICO said:

“Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour.”

“The potential reputational damage to affected companies whose data is stolen in this way can be immeasurable. Both Nationwide Accident Repair Services and Audatex have put appropriate technical and organisational measures in place to ensure that this cannot happen again.”

For further detials see the ICO.