A former employee of RAC, one of Britain’s major roadside recovery service operators, has pleaded guilty to data theft after he stored traffic accident information on his personal device that was passed onto claims companies.

Asif Iqbal Khan, 42, was handed a £5,000 ($6,120) penalty, ordered to pay for court costs of more than £900 ($1,100) and a victim surcharge of £170 ($209) by Dudley Magistrates Court following an investigation by the country’s Information Commissioner’s Office.

He admitted two counts of data theft last month, the UK data watchdog said. The probe was launched after 21 drivers involved in road traffic collisions received phone calls from claims companies wanting to take up their case.

Khan was working as a RAC customer solutions specialist in 2019 when the company started getting calls from suspicious drivers that were called by claims companies in January that year.

The roadside assistance company reviewed ways that data could have been obtained and determined that Khan was the only one who had access to the data on the 21 crash victims. It then tipped off the ICO.

The ICO executed a search warrant at Khan’s address, seizing two phones and a customers receipt for £12,000. Khan was found to have stored data relating to 272 individual incidents on phones he owned.

Khan pleaded guilty to the counts of theft in a breach of Section 170 of the Data Protection Act.

Stephen Eckersley, ICO head of investigations, said in a statement: “Being involved in a road traffic accident can be deeply distressing – to then have this used and your data stolen as a result, adds insult to injury.”

He added: “We know that receiving nuisance calls can be hugely frustrating and people often wonder how these companies got their details in the first place.”

This is the second time an incident involving an RAC employees retaining road traffic accident data has gone to court. In 2021, former staffer Kim Doyle pleaded guilty to charges of conspiracy to gain unauthorized access to computer data and selling RAC customer info to an accident claims management company.

In this instance, Doyle, at the time of 33 Village Lane, Higher Whitley in North Yorkshire, England, created lists of traffic accidents that included partial names, mobile phone numbers and car registration data. This was done without the RAC’s consent. She was subsequently fined £25,000 ($30,600), ordered to carry out 100 hours of unpaid work and pay £1,000 ($1,220) toward costs.

We have asked the RAC to comment, and specifically if it has undertaken any measures to try to prevent this from happening again. The company has yet to respond.

Following the earlier Doyle incident, it said at the time: “We take our responsibility for protecting personal data extremely seriously and take a zero-tolerance approach to any misuse of personal data.” ®