Nov 22
Cyber Security

IT Security, ex-employees, fines and jail time

Posted by Nicola on Thursday 22nd November 2018

There have been two high-profile instances in the last couple of years where ex-employees have been unscrupulous with their previous employers' data.

Mustafa Ahmet Kasim, formerly employed by Nationwide Accident Repair Services (NARS) has been jailed under the 1990 Computer Misuse Act for stealing and selling personal data in 2016. He used an ex-colleague’s login to access data held within Audatex software.

So far, the ICO has not said whether there will be action taken against NARS or Audatex.

In another instance, Andrew Skelton, who was employed as an auditor by Morrisons (the supermarket), exposed around 100,000 Morrisons employee’s details on the dark web, because of a grudge against the company.

He was jailed for eight years for fraud, unauthorised access to computer material, and disclosing personal data.

Morrisons has been sued by their employees and are fighting liability – all the way up to the Supreme Court.

These two instances of data theft happened to large organisations, but that doesn’t mean that small to medium businesses don’t face a similar threat. We rely on our employees to be honest and not abuse colleagues, customers, or us.


What steps can you take to reduce the risk of data abuse and provides a level of protection to all?

  • Have a policy on computer use and misuse. This includes password hygiene, email etiquette and data protection rules.
  • Make sure everyone understands this policy.
  • Enforce the policy.

  • Enforcing the policy means recording infractions and actions taken against policy infringers. This might take the form of an informal chat, a written warning or dismissal for gross misconduct.

    To further demonstrate that the policy is being enforced:

  • Control access to USB drives and mass data downloads/uploads.
  • Disable all access to company services for any leaver as soon as possible.
  • Reset access to sensitive accounts that leavers might have gained access to.

  • If you can prove that you’ve done everything you can to prevent insider abuse of personal data, this may be the difference between a ‘telling-off’ and a major fine and/or liability claim.

    If you would like an independent review or your internal IT Security processes and procedures, please contact us on 03331 50 60 70 or email us.