Former RAC Employees Ordered to Repay Over £118,000 for Selling Crash Victim Data
Two former RAC employees in the UK have been ordered to repay over £118,000 for illegally selling personal data of nearly 30,000 car crash victims, following a conviction under the Computer Misuse Act and Data Protection Act.
Two former employees of the UK's roadside assistance provider, RAC, have been ordered to collectively repay more than £118,000 for their involvement in selling sensitive personal data belonging to car crash victims. The duo, Debbie Okparavero and Maliha Islam, were convicted in 2024 for offenses under the Computer Misuse Act 1990 and the Data Protection Act 2018.
RAC's internal monitoring software detected suspicious data exfiltration activities, which led to an investigation by the Information Commissioner’s Office (ICO). The investigation revealed that Okparavero and Islam had been using WhatsApp to discuss and transfer the personal details of approximately 29,500 car crash victims to an unknown buyer. This data included sensitive information that could be used for various malicious purposes.
Maliha Islam was ordered to repay £39,522.50, which the ICO confirmed she has already paid in full. This financial penalty was part of her sentence, which also included a six-month prison sentence suspended for 18 months and 150 hours of unpaid work.
Debbie Okparavero faced a more significant financial penalty of £89,277.32, ordered by Manchester Crown Court on May 29th. She has been given three months to repay this sum, with failure to comply resulting in the activation of her 18-month suspended prison sentence. This reflects the court's assessment of her more substantial role in the data trafficking scheme.
Andy Curry, head of investigations at the ICO, emphasized the ongoing pursuit of justice, stating, "This outcome demonstrates justice did not end at sentencing. Our powers enabled us to continue to pursue these two individuals in order to strip them of assets gained through their serious criminal activity." He highlighted the use of the Proceeds of Crime Act to ensure that criminals do not financially benefit from their illicit actions.
The ICO also acknowledged the crucial role played by the RAC in reporting the incident and cooperating fully with the investigation. "I would like to once again thank the RAC for informing us about this breach and fully supporting the ICO’s investigation, which enabled us to hold these two individuals to account," Curry added.
This case serves as a stark reminder of the severe consequences for individuals who misuse their access to sensitive data. The conviction and subsequent financial penalties underscore the commitment of regulatory bodies like the ICO to pursue and recover illicit gains, reinforcing the importance of data protection and the legal ramifications of its violation.