A former employee of satellite broadcaster Sky leaked customer data to a warranty and repairs business, the UK’s High Court has ruled.
In 2010, Sky became aware that customers were receiving calls offering them warranty extensions just before their standard warranties expired. It discovered that the companies making the calls, named Digital Satellite Services and Nationwide Satellite Services, were owned by the same people.
It sued the companies, alleging that they "unlawfully came into possession and made use of confidential customer data taken from Sky’s customer databases for the purpose of marketing extended warranty service plans."
During investigations, the source of the data was identified as Sky ex-employee Steven Lee, as some of the data concerned was only accessible to him.
Lee denied the charges, but could not offer any explanation of certain details of the case.
"In cross-examination, Lee accepted that Sky data which had been supplied to him alone ended up with Digital, in particular that a USB stick was plugged into his personal laptop on a number of occasions and contained Sky customer data which ended up with Digital," the judge, Sir William Blackthorne, ruled.
"He also accepted that one of his work laptops was used to create disks containing Sky data which ended up with Digital. (He conceded that, although it may previously have been used by another Sky employee, the laptop in question was in his possession when the disks were created.)"
The judge said he was "quite unpersuaded" by Lee’s attempts to explain how the data came into Digital’s hands.
"The probabilities are… that he passed the data to an ex-employee of Sky … who left Sky under something of a cloud and who then set up a television satellite dish repair business.
"I therefore find that Mr Lee is liable for misuse of Sky’s confidential information, infringement of its database right and breach of his employment contract with [Sky]."
Information Age asked the Information Commissioner’s Office whether Sky may have breached the Data Protection Act by failing to prevent an employee from stealing its data. A spokesperson said that if the person was a trusted employee who needed the data to do their job, then the ICO’s complaint would be against the employee, not the company.