Two former RAC employees who unlawfully accessed and sold personal data belonging to car crash victims have been ordered to repay £118,000 under the Proceeds of Crime Act, following earlier sentences of imprisonment and community service. The pair exploited their privileged access to customer data systems to pass information to claims management companies. The case highlights the ongoing risk of insider threats and the serious financial consequences now being pursued by regulators and prosecutors.

Architect’s Take: Review and tighten data access controls for staff handling sensitive personal data — implement least-privilege access, robust audit logging, and anomaly detection to identify unusual data exports or queries, particularly in systems holding customer contact or incident data.

Original advisory: Duo who sold car crash victims’ data must repay £118k