June 30, 2025
By Lara Sheehy
A major data crime network has been exposed after eight men were convicted of unlawfully obtaining personal data from vehicle repair garages to fuel personal injury scam calls. The men obtained the personal data by bribing employees at vehicle repair garages and accident repair centers to unlawfully share details of recent car accident victims.
The ICO’s investigation - its biggest ever - uncovered a criminal ring that stole over one million records between 2014 and 2017.
🔍 The Data Breakdown:
☝️ Criminal Access – Garage systems across the UK were systematically hacked or infiltrated, with insiders paid to leak accident data. This gave criminals access to confidential customer records immediately after collisions occurred.
☝️ Misused Data – The stolen details were sold to claims management firms, who used them to cold-call accident victims and push fraudulent personal injury claims, often misleading individuals about their rights or the source of the call.
☝️ Massive Scale – Authorities seized over 4.5 million documents, 144,000 spreadsheets, and 83,000 media files during the investigation, reflecting the industrial scale of the operation and years of unlawful data exploitation.
This is not the only case of employees stealing personal data. In a similar case, an ex-employee of Nationwide Accident Repair Service continued to access personal customer data by using his ex-colleagues’ login details without permission. He was investigated by the ICO.
A similar investigation took place by the ICO in 2024, when a former Management Trainee at Enterprise Rent-A-Car had been ordered to pay a fine after admitting he illegally obtained customer data. The BUPA case is another example of data protection misconduct: an employee copied the personal information of 547,000 Bupa customers as bulk data reports to his personal email account and subsequently uploaded the data to the dark web. BUPA was fined as a result of this in 2018.
All of these cases highlight the need for:
• Strengthen Supplier and Partner Vetting – Ensure all third-party vendors, including garages and service providers, follow strict data protection protocols and undergo regular audits to prevent insider leaks or system breaches.
• Prioritise GDPR Compliance and Reporting – Maintain robust data access controls, monitor for unusual activity, and ensure prompt reporting of data misuse or breaches to mitigate legal and reputational risk under GDPR.