Recently, a delivery driver working for the electrical retailer, Currys, has been fired after engaging in targeted data breach harassment. The driver, Jordan delivered a washing machine and dryer to a pregnant woman’s house whilst she was home alone in Bradford, West Yorkshire, before sending ‘creepy’ texts to the 21-year-old. Once the delivery was completed, Jordan breached GDPR protocol and sent inappropriate texts to who he believed to be the customer, Kacey but was actually her fiancé, Ryan.
After Ryan shared the texts online, another woman, Jessica, 31, revealed that she had also been targeted by Jordan with inappropriate text messages after he delivered a fridge freezer to her house. Jessica claims that she is now worried for her safety as the driver knows her phone number and home address.
The women had entered their contact details into the Currys system so that they could receive updates on their delivery. Once their goods are handed over, communication is no longer necessary and as a matter of policy (and GDPR), drivers are not to save the details or further contact the client. The Currys delivery driver did not adhere to this and broke company policy twice, resulting in a severe case of data breach harassment.
Data misuse of this nature is an abuse of customer trust and a breach of data protection laws, as per GDPR. As these incidents increase, customers are feeling more and more reluctant to hand over their details.
Too often rogue employees are stealing customers data and using it for their own personal benefit. Another case of data breach harassment dates back to 2020, when Libby, 29, a copywriter from Winchester received a text from an unknown person. The texter insisted that they knew Libby’s name and what she had been wearing the previous evening. Libby became fearful and soon realised that the person texting her was the man who had served her drinks at a small bar she visited the night before.
The man obtained Libby’s contact number through the government’s Test and Trace scheme, which required visitors of bars and restaurants to provide their personal details given the chance that they came into contact with somebody who tested positive for Covid. Many businesses were required to gather and store this information. It was not, however, to be used for personal interest.
Similarly, Charlotte, 27, a model from London was left afraid in her own home after receiving text messages from a Test and Trace employee. The worker had visited Charlotte’s house to make sure she was self-isolating after her trip to Majora. Moments after, the worker texted her asking, ‘Do I have permission to save your number at all?’. Despite Charlotte ignoring the text message, she revealed that the man later sent her a friend request on Facebook.
Charlotte unnerved at the situation, said: ‘I was alone and felt uncomfortable that he had access to all my details. It was drilled into me that I must stay at home, and the consequences if I didn’t were a fine of up to £10,000.’
Employees are often using their customers’ data without consent, leaving them in frightening circumstances. National efforts to try to stop the spread of coronavirus open the possibility for harassment; victims are feeling violated and fearful even when complying with government guidelines.
The ICO (Information Commissioner’s Office) defines personal data as information that relates to and can be used to identify an individual. Workers having access to high levels of data such as home addresses and phone numbers puts customers at great risk. This kind of misuse may be done with no malicious intent, nonetheless, it is still a data breach and breaches GDPR rules. Whilst these mistakes may be made from pure ignorance, the implications are profound.
Commenting on the misuse of data, Mark Montaldo, a director and data breach expert at CEL Solicitors, said: “The rise of these types of data breaches poses the question of whether organisations need to consider the types of data that their employees have access to. Companies must also prioritise developing thorough initiatives to educate their employees on data protection, what counts as a data breach, and the harm that it can cause.”