T-Mobile staff sold customers' details to rivals

The Information Commissioner's Office (ICO) said employees at the German-owned firm appeared to have passed the confidential details of accounts to several brokers in return for "substantial sums of money".

The scam emerged in the ICO's submission to the Government on penalties for deliberate data theft. It involved the sale of millions of individual pieces of data of thousands of phone users, the ICO said.

The third parties are thought to have cold-called customers whose contracts were due to expire, on behalf of rival networks, offering them cheaper calls, phone upgrades or other inducements in a practice known in the industry as "slamming".

T-Mobile called in the ICO, the data watchdog, once it became aware of the breach. When the investigators raided addresses, they found that the scam involved millions of records.

The German-owned company expressed anger that the media had been alerted to the breach when it had believed it would be kept out of the spotlight until the case came to court. "T-Mobile takes the protection of customer information seriously," Britain's fourth largest mobile operator said. "When it became apparent that contract renewal information was being passed on to third parties without our knowledge, we alerted the ICO.

"We had been asked to keep all information on this case strictly confidential so as to avoid prejudice to the investigation and prosecution," the company added. "We were therefore surprised at the way in which these statements were made [by the ICO]."

The Information Commissioner, Christopher Graham, divulged the existence of the scam as he called for tougher sentences on individuals who breach data protection laws.

He did not at first name the operator involved, saying it could prejudice a prosecution, but said the stolen information included names, addresses, telephone numbers and other contract details.

But after Orange, Vodafone, 3, Virgin and 02 said they were not the subject of an investigation, T Mobile was forced to confirm its involvement.

Mr Graham said: "Many people will have wondered why and how they are being contacted by someone they do not know just before their existing phone contract is about to expire.

"We are considering the evidence with a view to prosecuting those responsible and I am keen to go much further and close down the entire unlawful industry in personal data."

The Justice Secretary, Jack Straw, is consulting on whether to introduce jail terms for breaches of Section 55 of the Data Protection Act from 1 April 2010.

Jill Johnstone, director of Consumer Focus, said: "Those responsible for trading the personal details of mobile users should face a tough penalty. This is a serious incident and shows the need for tighter data security among mobile phone providers. Customers at risk should be informed immediately and put on alert about marketing calls."

Shadow Justice minister Eleanor Laing said: "We need a beefed-up information commissioner with a full set of punitive strings to his bow, including the power to fine organisations."

The Liberal Democrat home affairs spokesman Chris Huhne said: "This sorry episode questions the Government's wisdom in getting communications providers to hoard increasing amounts of information about us."