Two former RAC employees who sold personal data belonging to car crash victims to claims management companies have been ordered to repay £118,000 under the Proceeds of Crime Act, following earlier sentences of imprisonment and community service. The pair exploited their privileged access to customer data for financial gain, representing a textbook insider threat and data protection failure. The case underscores the real-world financial and legal consequences of misusing access to sensitive personal data.

Architect’s Take: Review and tighten data access controls for employees handling sensitive personal information — implement least-privilege access, robust audit logging, and anomaly detection to identify unusual data exports or queries, particularly in systems holding customer PII.

Original advisory: Duo who sold car crash victims’ data must repay £118k

Two former RAC employees who unlawfully accessed and sold personal data belonging to car crash victims have been ordered to repay £118,000 under the Proceeds of Crime Act, following earlier sentences of imprisonment and community service. The pair exploited their privileged access to customer data systems to pass information to claims management companies. The case highlights the ongoing risk of insider threats and the serious financial consequences now being pursued by regulators and prosecutors.

Architect’s Take: Review and tighten data access controls for staff handling sensitive personal data — implement least-privilege access, robust audit logging, and anomaly detection to identify unusual data exports or queries, particularly in systems holding customer contact or incident data.

Original advisory: Duo who sold car crash victims’ data must repay £118k