ICO knew about T-Mobile data breach for a year
A freedom of information request has shown the investigation has been underway since last December.
T-Mobile first notified data watchdogs that members of its staff were selling off personal data nearly a year ago, the Information Commissioner's Office (ICO) has admitted.
Last month, the ICO said it was investigating one of the major mobile operators - later found to be T-Mobile - after employees were discovered be selling off user data.
Since then, a Freedom of Information Act request has revealed that T-Mobile notified the ICO of the problem on 16 December last year.
The request also asked the ICO to detail how many people were involved in the case, how many warrants had been doled out, and correspondence between the watchdog and the firm - all of which the ICO refused to do, as such information is exempt from the act.
An ICO spokeswoman told IT PRO that the watchdog has several ongoing investigations that have not been made public, and that the year between the case being handed to it and now has been spent investigating. Since December, the ICO has "launched a full investigation and is preparing a a case for possible prosecution," she said. "We don't make public most of the details in our investigations."
Why no Phorm investigation?
The FOIA request, sent by P John, also asked why the ICO "would take such drastic action against T-Mobile, yet take no action at all with respect to the BT/Phorm scandal?"
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
To that, the ICO responded: "As you will appreciate the issues involved in these two matters are very different. In respect of the T-Mobile issue the ICO is looking into possible criminal offences committed under the DPA [data protection act] whereas the matter of BT and Phorm regarding targeted online marketing did not involve any criminal offences under the DPA but raised issues of fair processing and compliance with the first Data Protection principle."