The full investigation can be read in the February 2017 edition of Which? Money

A new Which? Money investigation has uncovered how some firms who profit from selling personal information – including sensitive financial records – are potentially exposing consumers to nuisance callers and scammers.

Posing as a dodgy pensions advice company looking to operate a common scam, 10 of the 14 ‘list broker’ firms we contacted entered negotiations with us to hand over more than half a million names, telephone numbers and even pension details for as little as four pence per record.

We were even sent a sample telephone list on which 13 out of 18 people were registered with the Telephone Preference Service.

Our investigation found a trail of evidence of irresponsible behaviour and opaque supply chains within the list broker industry, with some firms seemingly willing to sell us data even though our fake company looked remarkably like a scam outfit.

These alarming findings come as consumers battle against a daily deluge of nuisance calls and emails – the cause of 160,000 complaints to the Information Commissioner’s Office (ICO). The ICO is now investigating Which?’s findings.

Read the full investigation and join Which? today.

How your data could end up in the wrong hands

When people complete surveys, enter competitions or agree to have their information shared with third parties when filling in forms, their personal information can be collected and turned into a list. It’s the job of a list broker to find a buyer for these lists. In November 2015, the ICO announced it was targeting list brokers, stating that the ‘illegitimate aspects… fuel the [nuisance calls] industry.’

Please enable JavaScript to access this content.

Pensioners, and those approaching retirement, are commonly targeted. Pension fraud rose from £10m to £18.7m between April 2015 and March 2016 and early pension release scams are perhaps one of the cruellest – accessing your pension before the age of 55 can see you losing as much as 85% after commission and tax.

Despite this, some of the list brokers Which? contacted seemed willing to sell sensitive personal information to our dodgy-looking fake firm. In total, we discussed buying the details of more that 500,000 people, in some cases aged 50 and over, including incomes, pensions, homes and jobs. The price of each record was as little as 4p – a potential outlay of a few thousand pounds to get access to wealthy targets.

Easy access to personal information

One firm we contacted invited us to buy 2,200 records of professionals with pensions, despite us mentioning that we wanted to contact people about early pension release. These would have cost just 66p per record.

Another went as far as sending us an invoice for 5,000 records, costing 24p each, assuring us that the data would be sent as soon as payment was made. When we later approached that company for comment, it said that ‘the necessity for pre-payment has added an additional barrier to those of a fraudulent persuasion’ – a laughable assertion, in our view.

One company sent us a sample list of its data, with most of the subjects on it registered with the Telephone Preference Service, which people join to avoid nuisance calls. It later admitted that it had ‘failed to carry out the necessary checks on this occasion’ before sharing the data.

Of the 14 list-broking companies we contacted, four demonstrated what we think is best practice by refusing to deal with us from the outset. The remaining 10 weren’t so cautious, continuing to tell us about the types and quantities of data we could buy.

We don’t think these 10 companies carried out appropriate due diligence on us.

If they had, they would have discovered that our phony business was not listed at Companies House, that it wasn’t FCA regulated – despite our claim to offer investment advice – and that it was not registered with the Information Commissioner’s Office (ICO) – a must for anyone trading in personal data.

Some of the companies stated that they would have carried out further checks on our fake firm before sharing the data.

Breaching the guidelines that protect consumers

The failure to perform due diligence wasn’t the only serious issue we discovered. We also found numerous companies that appear to be in breach of the ICO’s guidance on the consent consumers need to give to have their details shared.

In general, if you agree for one organisation to pass on your details to another for marketing, your consent must be ‘knowingly and freely given, clear and specific’.

The ICO states that you must know which exact organisations, or, at a push, which precisely-defined type of organisations, your details will be passed on to and for what specific purpose. A line buried in a privacy policy approving marketing from ‘selected third parties’ wouldn’t pass the ICO’s test.

Companies engaged in direct marketing must also keep records of how their lists have been sourced and permission obtained. If they can’t prove valid consent, they may be subject to enforcement action. And yet most of the companies we approached were vague about where their data originated. Many said it came from online or phone surveys.

Furthermore, three companies told us their lists came from other data traders, to which people on those lists would have to have given their consent for us to get hold of their data. Alarmingly, one of the companies wasn’t even registered with the ICO – a criminal offence.

Find out more: How to stop nuisance calls – report cold callers with our tool

Pension ‘suckers lists’ come easy

One company offered us the option to buy two pension-specific lists.

The first contained 26,000 names along with National Insurance numbers, pension providers, pensions sizes and even policy numbers, and was sourced from an introducer to a firm that had been accused of offering early pension release by a large insurer. This insurer had refused to transfer over one of its customer’s policies because it was concerned it wasn’t in the customer’s best interests.

The second list contained people that previously been introduced to a financial advice firm that was under investigation by the Financial Conduct Authority, which had ‘serious concerns’ about the pension advice it had provided.

The company later told Which? Money it has now ceased promotion and supply of the lists pending investigation.

Find out more: How to spot a fake, fraudulent or scam website – stay alert with our free guide

Join Which? read the full investigation

‘Millions are pestered by nuisance callers’

Harry Rose, Which? Money Editor, said: ‘Our investigation highlights that sensitive personal and financial data is being traded on a huge scale, with some companies apparently willing to sell to anyone who comes calling.

‘Millions are already pestered by nuisance callers and targeted by scammers. To avoid ending up on a list, never give permission for your data to be shared by third parties and if you are called out of the blue about a financial opportunity, hang up and report it.’

Following these revelations, the ICO is now investigating our findings, which it says ‘are very concerning and appear to raise serious issues about the compliance of organisations with data protection law. People have the right to know what happens with their personal data and be given a choice about how their details are used.

The ICO stated that where it has ‘found companies have not followed the law we will consider enforcement action.’ This could result in fines of up to £500,000.

More on this…