ICO recovers £118,852 from two former RAC employees

Summary — On 4 June 2026, the UK Information Commissioner’s Office (ICO) announced confiscation orders totaling £118,852.32 against two former RAC employees, following their conviction for the illegal sale of data taken from internal systems.

The facts

The Manchester Crown Court, applying the Proceeds of Crime Act (POCA), ordered Debbie Okparavero (Salford) to pay £85,727.32 plus £3,550 in costs, and Maliha Islam (Manchester) to pay £33,125.00 plus £2,797.50 in costs, totaling £118,852.32. The ICO noted that the £33,125.00 order (November 2025) has already been paid and the larger amount must be settled within three months or 18 months’ imprisonment will be served.

These financial orders follow the 8 October 2024 sentencing (Minshull Street Crown Court) to six months’ imprisonment suspended and 150 hours of unpaid work, after guilty pleas to conspiracy to commit offences under the Computer Misuse Act 1990 (s.1) and the Data Protection Act 2018, for copying and selling “nearly 30,000 lines of personal information.”

Legal basis

• Initial criminal offences: unauthorised access (Computer Misuse Act 1990, s.1) and unlawful obtaining/disclosure of personal data (aligned with DPA 2018 s.170), with criminal convictions in October 2024.
• POCA confiscations: financial recovery in November 2025 and May–June 2026 based on judicial assessment of the criminal benefit.

By analogy for the EU/Luxembourg, the case highlights GDPR security and governance requirements (Arts. 5(1)(f), 24, 32) against insider risk. In a comparable incident, GDPR notification duties would apply (Art. 33 within 72 hours and, where high risk, data subject communication under Art. 34).

What this means for Luxembourg organisations

• The threat is not only external: a single insider account can exfiltrate large, valuable datasets if access control, segregation of duties, and logging are weak.
• Authorities focus on stripping criminal profits. In the EU, scrutiny will target strong authentication, logging, DLP, and privileged account oversight, as required by GDPR Art. 32 and, for financial entities, by DORA obligations.
• Groups operating in the UK should anticipate POCA use beyond the initial sentence and ensure internal policies enable rapid detection, reporting, and cooperation with authorities.

Actionable steps

• Map “monetisable” datasets and enforce need‑to‑know with tamper‑proof logs; deploy UEBA alerts on abnormal exports. A targeted security and logging assessment helps close gaps quickly.
• Constrain exfiltration: DLP on email/endpoints/browsers, quotas/alerts on CSV exports, block non‑approved media, watermark sensitive extracts; strengthen detection with a managed SOC for exfiltration detection.
• HR‑Security‑Legal governance: disciplinary clauses, segregation in call centres/back‑office, quarterly access reviews, insider‑threat training, tested response and notifications; for financial actors, align with DORA resilience requirements.

Key takeaway

The RAC case confirms insider threats can yield significant illicit gains and that authorities will pursue recovery. Fine‑grained access control, continuous monitoring, and clear governance remain the best defence.

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.