An undercover Which? Money investigation reveals that potential nuisance callers and would-be scammers may be able to buy your sensitive personal and financial information for as little as 4p a record.
Which? investigated 14 data-selling companies by posing as a dodgy firm with the intention to contact people about early pension releases – a common pension scam. Researchers were able to order forms or invoices from 10 firms contacted, but stopped short of actually buying the data on offer.
Undercover researchers uncovered numerous examples of irresponsible behaviour and were able to discuss buying personal information for more than half a million people aged 50 and over, including salary, pensions, homes and jobs. Some of the examples included:
- An invoice issued by one company for nearly 500,000 pieces of personal information at just 4p each with a household income of £40,000+ including phone number and address
- Another firm issued an invoice for 2,200 names and numbers of people with a household income of £35,000+ at 66p per item
- One company sent a sample telephone list on which 13 out of 18 people were registered with the Telephone Preference Service (TPS) – the central opt-out register where people can record their preference not to receive unsolicited marketing calls
- Another company issued an invoice containing bank details for 5,000 records at 24p per item with assurances that the data would be sent as soon as payment was made
By doing some basic research the list brokers could have discovered that the fake business set up by Which? was not listed at Companies House; that it wasn’t FCA regulated – despite the claim it offered investment advice; and that it was not registered with the Information Commissioner’s Office (ICO) – a must for anyone trading in personal data.
Four firms demonstrated what we believe to be best practice by refusing to deal with the fake pensions company from the outset. The other 10 firms still failed to carry out due diligence up to the point where orders were being placed.
Personal information can end up in the hands of list brokers if people have entered an online competition or answered a lifestyle survey. One salesman, when pressed for the source of a list, assured investigators that it was opted-in and compliant.
When Which? contacted the companies investigated, many defended their actions stating that ‘they would have carried out further checks’ before sharing the data. The company that shared sample data (with 13 of 18 registered with TPS) did admit that it ’did not carry out the necessary checks on this occasion’.
Alarmingly, one of the companies dealt with wasn’t even registered with the ICO at the time of the investigation – a criminal offence. They later admitted to an ‘administrative oversight’ that had caused a 23-day delay to their registration renewal.
Many companies appeared to be in breach of the ICO’s guidance on the consent consumers give to have their details shared. For consent to be valid it should be ‘knowingly and freely given, clear and specific’. Some companies were using such vague consent that it was unlikely to pass the ICO’s test.
Which? has presented its findings to the ICO, who found them ‘concerning’ and raising ‘serious issues’ about the compliance of organisations with data protection law.
Which? wants the Government to continue to take action on nuisance calls, with new rules to hold company directors to account for bombarding consumers with unlawful calls to be brought into force as soon as possible.
Harry Rose, Which? Money Editor, said:
“Our investigation highlights that sensitive personal and financial data is being traded on a huge scale, with some companies apparently willing to sell to anyone who comes calling.
“Millions are already pestered by nuisance callers and targeted by scammers. To avoid ending up on a list, never give permission for your data to be shared by third parties and if you are called out of the blue about a financial opportunity, hang up and report it to the regulator.”
Notes to eds
- Which? investigated data-broking firms last autumn posing as a dubious, unregulated pensions advice company and discussed buying the personal details of more than 500,000 people aged 50+, including incomes, pensions, homes and jobs.
- More than 500,000 people have signed up to support the Which? campaign to call time on nuisance calls and texts. Find out more about the Which? campaign on nuisance calls here
- Which? issued a super-complaint in September 2016 to the financial regulators calling on them to ensure banks better protect customers who are tricked into transferring money to a fraudster. The PSR issued a response we felt let ‘banks off the hook’ and we advise more people to sign up to our petition which has over 263,000 signatures to date. For more detail, click here
- For advice and more information on your data protections rights, click here
- ICO response to investigation: ‘The findings from Which? are very concerning and appear to raise serious issues about the compliance of organisations with data protection law. People have the right to know what happens with their personal data and be given a choice about how their details are used. ‘We will be investigating these findings as they may provide a new line of enquiry to our ongoing work looking at the buying and selling of personal data. Where we have found companies have not followed the law we will consider enforcement action.’