Watchdog mulls SOCA's secret dossier of private dicks 'hired to hack, blag'

[Lee J <lee () riskbasedsecurity com>]

http://www.theregister.co.uk/2013/09/03/ico_dodgy_gumshoe_client_probe/

The UK's privacy watchdog is now investigating whether corporate giants and
others breached the Data Protection Act by hiring private eyes who
allegedly hacked systems and blagged personal records.

The Information Commissioner’s Office (ICO) has received a list of 98
companies and individuals probed by the Serious Organised Crime
Agency<http://www.theregister.co.uk/2013/08/01/dodgy_pi_client_list/>
(SOCA)
- which had been looking into claims of private investigators unlawfully
accessing records and “blagging” personal files to get information for
their clients.

SOCA's investigation, dubbed Operation Millipede, resulted in the
conviction of four men for fraud last year. On 30 August, SOCA passed more
than 20 files related to this investigation to the ICO, including
correspondence and receipts between clients and the private gumshoes.

Details of a further nine clients have been withheld by SOCA, at the
request of the Metropolitan Police, as they relate to ongoing criminal
investigations.

The ICO will now assess the SOCA material to establish whether or not the
private dicks' clients were aware that laws may have been broken in
obtaining requested information.

SOCA was heavily criticised for sitting on the information for several
years: it'sclaimed the cops'
dossier<http://www.dailymail.co.uk/debate/article-2401633/The-Mail-Sunday-Why-wont-police-reveal-SOCA-files.html>
revealed
a hive of illegal activity - and a level of wrongdoing that was far more
widespread than the allegations of newspaper reporters'
voicemail-eavesdropping and blagging that led Rupert Murdoch to close the *News
of the World* <http://www.theregister.co.uk/2011/07/07/notw_to_close/>.

The ICO can wield several powers, depending on the outcome of the
investigation, to end any data snaffling or possibly launch a criminal
prosecution. Unlawfully obtaining or accessing personal data, contrary
to section
55 of the Data Protection Act
1998<http://www.legislation.gov.uk/ukpga/1998/29/section/55>,
or for failing to notify as a data controller, could result in a
prosecution against the customers of dodgy private dicks.

Other enforcement options include a civil action for breaching the Data
Protection Act, with monetary penalties of up to £500,000, and enforcement
notices and undertakings, to oblige changes in policies or procedures. The
ICO will also establish whether the clients fall under the ICO’s
jurisdiction. Initial estimates suggesting as many as a quarter of the
clients may have been based outside the UK.

"We will liaise with our international counterparts where an organisation
or individual appears to have breached the Data Protection Act, but is
based abroad," an
ICOstatement<http://www.ico.org.uk/news/latest_news/2013/ico-launches-investigation-into-rogue-private-investigator-clients>
 explains.

The ICO warned that even the initial phase of its investigation is likely
to take several months. It will not be publishing the list of clients at
this stage, it says, so as not to prejudice any potential criminal
prosecution. ®

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.