Two former RAC employees who sold personal data belonging to car crash victims to claims management companies have been ordered to repay £118,000 under the Proceeds of Crime Act, following earlier sentences of imprisonment and community service. The pair exploited their privileged access to customer data for financial gain, representing a textbook insider threat and data protection failure. The case underscores the real-world financial and legal consequences of misusing access to sensitive personal data.

Architect’s Take: Review and tighten data access controls for employees handling sensitive personal information — implement least-privilege access, robust audit logging, and anomaly detection to identify unusual data exports or queries, particularly in systems holding customer PII.

Original advisory: Duo who sold car crash victims’ data must repay £118k