Two former RAC employees in the UK were ordered to repay more than £118,000 after illegally selling personal data belonging to car crash victims. The Information Commissioner's Office said the pair were previously convicted under the Computer Misuse Act 1990 and Data Protection Act 2018 after about 29,500 records were copied from RAC systems and shared over WhatsApp with an unknown buyer; one defendant now faces 18 months in prison if she does not repay the proceeds within three months.
Why it matters: This matters because insiders abused access to sensitive data from people involved in road accidents, showing how personal information can be monetized after a breach from inside an organization. For defenders and regulated firms, it underscores the need for monitoring, least-privilege access, and rapid response to suspicious data exports.
2026.06.04
100% relevant
The article establishes a trackable story by providing a substantive legal outcome in a real insider data-theft case involving RAC crash-victim records and the use of UK privacy and computer-misuse laws to recover criminal proceeds.
← Back to all stories