Eight Men Found Guilty in the UK’s Largest Ever Nuisance Call Investigation

June 30, 2025

By Lara Sheehy

Eight Men Found Guilty in the UK’s Largest Ever Nuisance Call Investigation

A major data crime network has been exposed after eight men were convicted of unlawfully obtaining personal data from vehicle repair garages to fuel personal injury scam calls. The men obtained the personal data by bribing employees at vehicle repair garages and accident repair centers to unlawfully share details of recent car accident victims.

The ICO’s investigation - its biggest ever - uncovered a criminal ring that stole over one million records between 2014 and 2017.

🔍 The Data Breakdown:

☝️ Criminal Access – Garage systems across the UK were systematically hacked or infiltrated, with insiders paid to leak accident data. This gave criminals access to confidential customer records immediately after collisions occurred.

☝️ Misused Data – The stolen details were sold to claims management firms, who used them to cold-call accident victims and push fraudulent personal injury claims, often misleading individuals about their rights or the source of the call.

☝️ Massive Scale – Authorities seized over 4.5 million documents, 144,000 spreadsheets, and 83,000 media files during the investigation, reflecting the industrial scale of the operation and years of unlawful data exploitation.

This is not the only case of employees stealing personal data. In a similar case, an ex-employee of Nationwide Accident Repair Service continued to access personal customer data by using his ex-colleagues’ login details without permission. He was investigated by the ICO.

A similar investigation took place by the ICO in 2024, when a former Management Trainee at Enterprise Rent-A-Car had been ordered to pay a fine after admitting he illegally obtained customer data. The BUPA case is another example of data protection misconduct: an employee copied the personal information of 547,000 Bupa customers as bulk data reports to his personal email account and subsequently uploaded the data to the dark web. BUPA was fined as a result of this in 2018.

All of these cases highlight the need for:

• Strengthen Supplier and Partner Vetting – Ensure all third-party vendors, including garages and service providers, follow strict data protection protocols and undergo regular audits to prevent insider leaks or system breaches.

• Prioritise GDPR Compliance and Reporting – Maintain robust data access controls, monitor for unusual activity, and ensure prompt reporting of data misuse or breaches to mitigate legal and reputational risk under GDPR.

Read more

Data-Privacy-Training-image

AllNet Law | IAPP Certification Programme
CIPP/E, CIPT and CIPM.

RECENT POSTS

Afghan Data Breach Highlights Failures in UK GDPR Safeguards
Decoding the "Consent or Pay" Debate
Eight Men Found Guilty in the UK’s Largest Ever Nuisance Call Investigation
High-Risk AI Systems: What Are They? Share Your Input
Privacy In Focus | June

CATEGORIES

AI
Biometric Data
CJEU
COVID
Cross-Border Data Transfer
Crypto
Data Breach
Data Governance
Data Protection
Data Sharing
EDPS
EU
Enforcement Action
GDPR Infringement
GDPR Principles
IAPP Resources
ICO
Law
Marketing
NYOB
News
PECR
Privacy Jargon Buster
SCC
Safeguard
Social Media
UK GDPR
US Laws
Web 3
ePrivacy Directive
ABOUT US

TRAINING, CONSULTANCY & AUDITING

Internet Law Specialists: Providing training and consultancy services on the Internet and related laws.

Company Registration:
England & Wales: 12054338
VAT Registration: 357653860

© ALLNET Law 2025
WHAT WE DO
Outsourced DPO ServicesData Protection TrainingCIPPE TrainingCIPM TrainingCIPT TrainingGDPR TrainingC-DPO Training
GENERAL
Terms and ConditionsCookies & Privacy NoticeContact Us
Phone Icon033011 38846
email iconinfo@allnetlaw.com
twitterlinkedin
BCS ImageIapp Image