Investigation: Your data for sale

Which?, February 2017

Companies could be selling your personal and financial data to nuisance callers and scammers. Zoë Blackler uncovers a murky industry.

Undercover Which? Money research has found companies selling people’s personal details together with financially sensitive information about pensions, income and investments, sparking an investigation by privacy watchdogs.

We can reveal evidence of irresponsible behaviour and opaque supply chains in the consumer data-broking industry, with names, numbers and even pension details changing hands for as little as four pence a record. Posing as a dodgy pensions advice firm, we were even sent a sample telephone list on which 13 out of 18 people were registered with the Telephone Preference Service (TPS).

During our investigation, just four out of 14 firms that we contacted refused to consider us as a potential buyer of personal data –even though our fake company looked remarkably like a scam outfit.

The other 10 offered us names and numbers even though we said we planned to call people as young as 50 with our ‘early pension release opportunities’. The Financial Conduct Authority (FCA) warns that early pension release is almost certainly a scam. It advises anyone approached with such an offer to contact Action Fraud, the national fraud-reporting service.

Under the Data Protection Act 1998 (DPA), all companies involved in the data trade are required to ensure their handling of people’s personal details (including any decision to sell) is fair and lawful. The data regulator’s guidance – which sets out how organisations should comply with the law – is clear that this requires a careful check on how potential clients will use the information.

A few quick online checks, however, would have revealed that our ‘company’ was not listed at Companies House. It was not FCA regulated, despite our claim to offer investment advice, and it was not registered with the Information Commissioner’s Office (ICO) – a must for anyone trading in personal data. Our supposed business address was a non-existent flat number in a residential housing block.

One company we found trading in data wasn’t registered with the ICO itself – a criminal offence. Another offered to sell us data that had previously been sold to pension advisers under investigation by the FCA. Few of the companies we approached were either willing or able to tell us the exact source of the lists. Several that did provide more detail described ‘consent’ obtained in ways that we think would fail to satisfy the regulator.

When we embarked on our investigation, we expected to find a handful of companies behaving disreputably. Instead, we were shocked to find an industry where the pursuit of profit too often appears to trump respect for individuals’ rights, their privacy and even their safety.

We’ve now shared our findings with the ICO, which described them as ‘very concerning’. It has pledged to investigate further and to consider enforcement action if it finds companies haven’t followed the law.

EARLY-RELEASE SCAMS

In April 2015, a change in the law gave pension holders new freedom to cash in their pensions. Almost immediately the fraudsters began circling. In the year following the changes, reported fraud increased from £10m to £18.7m.

Perhaps the cruellest form of pension fraud is the early-release scam. The law changes apply only to the over-55s, but scammers convince younger victims that they too are allowed to access their pension early. What victims don’t realise is that they’ll be hit with a substantial fee and a huge tax bill from HMRC.

Many of these scams begin with a cold call. These aren’t random numbers picked from the phone book; scammers choose their victims wisely. More often than not they won’t just be armed with your name and address – they’ll also know
your age, income and occupation, sometimes the type of house you live in and whether you own or rent, the size of your pension, the car you drive, and even your hobbies.

You may think this data would require time and effort to research. But for would-be scammers, there’s a near-inexhaustible source waiting to be tapped.

HYDRA’S HEADS

Enter an online competition, answer a lifestyle survey, or approve a company’s small print unread, and your personal details could soon be changing hands for cash – raw material traded along a murky supply chain.

At one end of this chain are the nuisance callers – the cause of more than 160,000 complaints to the ICO in 2015-16 and the reason why, in November 2015, the ICO announced it was opening out

the fight. The court cases and prosecutions were not solving the problem, since each time the ICO managed to sever one of Hydra’s heads, as then-Commissioner Christopher Graham explained, ‘two grow back in its place’. It was impossible to break the nuisance callers without strangling the industry that feeds them.

The ICO, Mr Graham said, was now turning its attention to the list brokers: ‘By targeting the illegitimate aspects of the list-broking business that fuels this industry, we have the chance to truly strike down this monster.’

We decided to launch our own investigation into the companies feeding the ‘monster’. But, unlike the ICO, we wanted to find out whether firms trading openly in consumers’ personal details could be helping scammers.

Over several weeks last autumn we went undercover, posing as a scammer with a thinly veiled cover story. We invented a company with a scammy-sounding name, populated an off-the-peg website with cheesy stock images and promises of free pension reviews, and hired an actor to play the part of our ‘director’. Any broker doing its required due diligence would have rumbled us in minutes.

From the Direct Marketing Association’s website we found a list of member organisations that trade in data. We supplemented this list with results from our own Google searches for terms such as ‘buy consumer lists’. We emailed each company on our list first and then had our actor follow up with calls. Initially, we said we were looking for the details of consumers aged 55 plus, with a pension and above-average income.

NO QUESTIONS ASKED

Our first call was to a company called Business Lists UK, which was happy to offer us data. During a later call, our request to reduce the age of our targets to 50-plus because we offered early pension release opportunities met with no reaction. We were invited to buy 2,200 names and numbers of professionals with pensions. Business Lists UK later denied that our actor mentioned early release and that, if he had, it would ‘undoutedly have asked further questions’. Our recordings of the calls, however, are clear that he did.

We moved on to Media Arrow, which initially touted a list containing more than 17,000 names before later issuing us an invoice for 5,000 with its bank details for payment, despite being told about our early pension release work. It assured our actor that we would receive the data as soon as payment was made. When we later approached Media Arrow for comment, it said that ‘the necessity for pre-payment has added an additional barrier to those of a fraudulent persuasion’ – a laughable assertion, in our view.

Sheffield-based BDP Agency, which claims among its clients HSBC, Eon and Thomson Reuters, was similarly unfazed when our actor mentioned early release. BDP now claims that it made multiple attempts to call him to carry out due diligence, but received no response. BDP also argued that it only sends out invoices once vetting is completed. But our fake firm received an invoice for 4,000 names along with an email stating ‘please find attached your invoice’. Not the ‘final invoice’ according to BDP.

Another firm, Targets Located, actually sent us a sample of its data, later admitting that its account manager failed to carry out ‘the necessary checks on this occasion’. Alarmingly, when we checked, most of the numbers on the sample list were registered with the TPS.

BEST PRACTICE

Refusals to deal with us were the exception rather than the norm. Only four firms demonstrated what we would regard as best practice when our actor approached them. Marketing Source told him: ‘The onus is on us to ensure… we have a good understanding of the purpose and… how that data is being used.’

With phone marketing that was particularly pertinent, its salesman said. He asked: ‘You’re fully FCA regulated I presume?…Because pensions is regulated and we’d need to tick the box on due diligence.’

The second firm to call us out, Evolution DM, asked for the script we’d follow during calls. And the third, Call Credit Information Group, insisted on seeing proof of our company status as well as our ICO and FCA registrations before it would even quote us on numbers.

In total, we got as far as collecting order forms or invoices from 10 firms (see table, right) – but we stopped short of handing over cash. Only a handful asked even the most basic questions about our planned telemarketing campaign. All 10 were told we planned to call our targets and offer them early pension release – a screaming red flag for scams.

VALID CONSENT

The failure to perform due diligence wasn’t the only serious issue we discovered. We also found numerous companies that appear to be in breach of the ICO’s guidance on consumer consent. How that consent should be obtained is set out in the DPA and its sister law, the Privacy and Electronic Communications Regulations 2003 (PECR). But from the many conversations we had with the brokers during our investigation, it seemed most were either blissfully ignorant of the law, or blatantly flouting it.

The DPA and the PECR, as  explained in the regulator’s guidance document, don’t outlaw all unsolicited marketing, but they do establish robust limits to how it can be conducted.

In general, if you agree for one organisation to pass on your details to another for marketing, your consent must be ‘knowingly and freely given, clear and specific’. The ICO guidance states that you must know which exact organisations, or, at a push, which precisely defined type of organisations, your details will be passed on to and for what specific purpose. A line buried in a rarely read privacy policy approving marketing from ‘selected third parties’ wouldn’t pass the ICO’s test.

Companies engaged in direct marketing must also keep records of how their lists have been sourced and permission obtained. If they can’t prove valid consent, they may be subject to enforcement action. And yet most of the companies we approached were vague about where their data originated. Many said it came from online or phone surveys.

Business Lists UK told our actor that its lists were compiled by people filling in questionnaires about their lifestyles, or by completing things like guarantee forms. ‘We’ve all done it,’ it said.

Business Lists UK was also one of two companies that told us the data it would sell us didn’t require opted-in consent since we were buying phone numbers not emails. It’s true that consent isn’t required to call numbers that aren’t registered with the TPS. But if an organisation knows the name of the person it’s contacting, it must comply with the DPA. When we approached Business Lists UK for comment, it told us that all the information it supplies ‘is fully compliant with current UK data protection law’.

Intec Data Group – which offered to give us details of people’s investment habits, property type and property value – shared with
us the opt-in at the end of its questionnaires. Subjects are asked to confirm ‘that they’re happy for us to share the information with related parties to our company for contact purposes for marketing’. Our fake company was in no way related to Intec Data Group.

Intec’s salesman, who offered us 10,000 records at just 3.5p each, was upfront about another flaw with its lists: ‘Consumers that do tele-surveys sometimes aren’t concentrating when giving the information over, which is why it’s priced like that… there’s a level of inaccuracy when you’re dealing with tele-survey data.’ Intec declined to comment on this point, but did stress that it would never have sold data to our outfit.

The other broker selling dirt-cheap data, at just 5p a record, was UK Datahouse, which told us its data wasn’t gathered exclusively for companies like ours selling pensions, but came from a lifestyle survey: ‘The opt-in [consent] will be for third-party marketing for all different types of campaigns.’

This failure, however, is minor compared with another discovery we made about UK Datahouse (a trading name for UK Marketing Group Limited). Although it had an ICO registration number on its website, neither entity was registered with the ICO – a criminal offence. UK Datahouse now admits that ‘due to an administrative oversight its ICO renewal was late by 23 days but has now been rectified’.

DATA SUPPLY CHAIN

The ICO is clear that consent is a one-step process, so for data to be traded on again, new and specific consent would need to be obtained.

However, three companies told us their lists came from other data traders. For example, one of the companies included in our investigation said it used a large data house, which in turn used another company that conducts online competitions. In answer to a question we asked about the consent obtained for the data we’d be buying, it directed us to the consent obtained by the competition runner – two steps along the supply chain. That firm requires competition entrants to allow their details to be shared with its clients which ‘may include commercial, not-for-profit, research, public regulatory authorities, and political organisations’. In other words, anyone and everyone.

On first look, another company, Wyvern Data Marketing, appeared to be obtaining specific consent. During its phone surveys, customers are apparently asked: ‘Do you have a private pension and would you like a free review of its performance?’ But we think its work with people offering free pension reviews should put it squarely in the ICO’s cross hairs: the FCA warns the recipient of any call offering a free pension review to hang up immediately
– it’s probably a scam.

PENSION LEADS

Another company also told us it could generate pension-specific marketing leads. Targets Located told us it could run a phone survey from its call centre asking: ‘Have you been paying into a pension for over 15 years? If yes, would you want to discuss your options  regarding that with a government- regulated company?’

The company also offered us the option to buy two existing lists. We were told the first – 26,000 names along with NI number, pension provider, size of pension and even policy numbers – was from an introducer to pensions adviser Warwick & Eaton. In 2014, Aviva refused to transfer one of its customer’s policies to Warwick & Eaton over concerns it was offering early pension release. The transaction would not have been in the customer’s best interests, Aviva maintained. Several other big pensions providers reportedly shared Aviva’s concerns.

When pressed on the source of the list, the salesman assured us it was opted-in and compliant, saying: ‘It’s not off the back of a lorry.’

The second list had previously been introduced to two firms: lead generator Hennessy Jones and financial adviser Henderson Carter. ‘Not all customers transferred, but those that did are in a Sipp,’ (a self-invested personal pension), the salesman told us.

The FCA register entry for Henderson Carter warns: ‘This firm is to cease from conducting pension business until such time as they have had their sales process reviewed… Information has been provided to the FCA which has given rise to serious concerns with respect to the adequacy of the firm’s pensions advice,’ including its relationship to Hennessy Jones.

Targets Located later told Which? Money that both lists were purchased from third parties registered with the ICO and that it was offered assurances that the data complied with the law. However, in light of our findings, it has now ceased promotion and supply of the lists pending investigation.

Meanwhile, we gained more insight into how phone surveys work during a call with a salesman from Choose Leads. ‘The job of the survey is trying to capture information off the customer [sic] and then to opt them in for a marketing call.’ He told us the company uses a call centre in India, Choose Lifestyle, which asks questions about everything from utilities to insurance and pensions. The salesman also had some advice for us when we dialled: ‘From my experience, it’s sometimes not worth mentioning that they took a survey a month or two months ago. These people forget within a day. Client calls them up and they’re like, “we never took a survey”. Then we’ve got to supply them call recordings.’

There’s another good reason to keep quiet about the Choose Lifestyle survey. A Google search leads straight to the nuisance-call reporting site Tellows, and dozens of complaints. One person writes: ‘I get at least five calls from them every day. They are really stubborn and they want to know every bit of sellable information about you.’

 

An ICO spokesperson said: ‘The findings from Which? are very concerning and appear to raise serious issues about the compliance of organisations with data protection law. People have the right to know what happens with their personal data and be given a choice about how their details are used.

 

COMMENT: TIME TO GET TOUGH ON DATA BROKERS

When we set out to masquerade as pensions scammers for this investigation, we thought hard about how to present ourselves. We needed to look convincing enough to have a chance of success, but still shady enough that reputable brokers would see through us.

One aspect of our approach was crucial. Whatever else we did, we would be asking to buy phone numbers.

Most scams begin with a cold call. Not least pension scams. In just the rst year after George Osborne’s pension freedoms were introduced, £18.7m was stolen by cold callers selling fake investment opportunities.

So a ban on pension-related cold calling, proposed in the November 2016 Autumn Statement, is to be welcomed. But it’s clear that this move alone won’t solve the problem. Accompanied by sufficient publicity, the ban could alert potential victims to the danger, and it may deter those callers operating at the edge of legality, but it will do little to stop the real criminals either based in the UK or abroad. The latter will just carry on as normal, while the former could simply tweak their sales pitches to focus on investments rather than pensions.

We already have laws around the trade in data to prevent unscrupulous companies from collecting and selling your details to anyone who comes calling. But as our investigation proves, implementation of the rules needs to be far more robust. Because as long as the scammers can buy your information for just a few pence, that phone will keep on ringing.