ARTICLE
1 September 2025

Call Centre Employee Faces Jail For £45,000 Data Theft

LS
Lewis Silkin

Contributor

Lewis Silkin logo
We have two things at our core: people – both ours and yours - and a focus on creativity, technology and innovation. Whether you are a fast growth start up or a large multinational business, we help you realise the potential in your people and navigate your strategic HR and legal issues, both nationally and internationally. Our award-winning employment team is one of the largest in the UK, with dedicated specialists in all areas of employment law and a track record of leading precedent setting cases on issues of the day. The team’s breadth of expertise is unrivalled and includes HR consultants as well as experts across specialisms including employment, immigration, data, tax and reward, health and safety, reputation management, dispute resolution, corporate and workplace environment.
Explore Firm Details
A British Gas employee has admitted selling c. 1,700 customers' personal data for £45,000. Interestingly, this case was prosecuted under both the Data Protection Act 2018 ("the DPA") and the Theft Act 1986 (under which those convicted can be imprisoned).
United Kingdom Privacy
Georgia Davies and Sean Illing
Your Author LinkedIn Connections

A British Gas employee has admitted selling c. 1,700 customers' personal data for £45,000. Interestingly, this case was prosecuted under both theData Protection Act 2018("the DPA") and theTheft Act 1986(under which those convicted can be imprisoned). Personal data isn't usually considered 'property' under section 4 of the Theft Act, but files can meet the definition of property. This case is an example of the risks posed by insiders and shows that UK authorities are willing to get creative when holding people accountable for misusing personal data for profit.

How the breach happened

The employee in question worked at a Coventry call centre for British Gas. Over six months in 2018, he repeatedly accessed customer accounts and downloaded names, addresses, dates of birth and energy usage details. He then sold this data to a marketing company. British Gas was made aware of the situation when customers started getting cold calls that matched the details in their records. That triggered an internal investigation, which led to a report to the ICO and, eventually, a criminal prosecution.

In his appearance before the Leicester Magistrates' Court, the employee pleaded guilty to both obtaining personal data without consent, which is a crime under the DPA, and to theft under the Theft Act. The magistrates decided the case should be sent to Leicester Crown Court, as magistrates sentencing powers are limited to custodial sentences of up to 12 months.

The Insider Threat in practice

This case is a reminder that even the best security tech can't stop an insider with legitimate access. The employee's job was to verify customer details, so he was entitled to access this personal data. Without proper real-time monitoring or alerts for unusual downloads, he was able to take large amounts of data without being noticed right away.

The criminal case and what's at stake

The court has signalled that the amount of money involved and the malicious nature of the conduct mean a prison sentence is likely. Sentencing is due later this year, and the court can also order the recovery of the £45,000 under theProceeds of Crime Act 2002.

Regulatory angle and company exposure

So far, British Gas hasn't been fined by the ICO. The ICO usually reserves fines for organisations that don't have proper technical or organisational measures in place. Early signs suggest British Gas had basic controls and worked with the authorities. However, customers affected by the breach could still bring civil claims for distress or loss of control over their data.

What Privacy Pros should take away

This incident is a wake-up call: managing insider risk needs to be built into your privacy programme from the ground up. No matter how good your external defences are, they won't stop a trusted employee from abusing their access should they decide to do so! Ongoing vigilance, layered controls, and a strong security culture are essential.

Key Takeaways

  • Zero-trust applies internally too:Use context-aware access controls and stick to least-privilege principles.
  • Monitor and detect anomalies:Use tools that flag big downloads, screen scraping or odd access times. Make sure alerts lead to quick follow-up.
  • Limit data exposure:Where possible, mask or tokenise personal data so staff only see what they need.
  • Vetting and ongoing training:Screen staff before hiring, re-check periodically, and provide regular, practical training on data ethics and security.
  • Check your partners:Make sure your partners are legitimate and have strong contractual restrictions on data use.
  • Respond fast:British Gas acted quickly by reporting to the ICO. Fast action and open engagement with regulators can limit your exposure.

For privacy professionals, this case is a reminder: your technology, policies and people all need to work together. Only a joined-up approach that accounts for human nature can really protect personal data - and your organisation's reputation - in a world where information is both an asset and a risk.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Georgia Davies
Georgia Davies
Photo of Sean Illing
Sean Illing
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More