Insurance worker jailed for stealing and selling on customer data

A former insurance company employee who stole customer details and sold them to claims management companies has been jailed.

Karl Yates, 40, of no fixed abode, accessed customer data associated with non-fault road traffic claims from Royal Sun Alliance (RSA) systems while employed by them, when he was not authorised to do so.

He then passed the details on to claims management companies, which used the information to cold-call the drivers involved and pressurise them into making personal injury and damage claims against the insurance industry.

Yates was found guilty of fraud by abuse of position and computer misuse on 8 November 2023, following a trial at Liverpool Crown Court. He was sentenced to 28 months imprisonment at the same court on 11 December 2023.

Detective Sergeant Matt Hussey, from the Insurance Fraud Enforcement Department (IFED) at the City of London Police, said:

“Yates took advantage of his position of trust by stealing confidential data for over a year. He copied down customer records and took pictures of them on his mobile phone, gathering enough details so that the phone calls from the cold calling companies would sound legitimate.

“Yates’ actions could have seriously harmed RSA’s reputation. As well as being distressing for customers, the cold calls could have caused members of the public to unintentionally submit fraudulent claims across the insurance industry.

“Unfortunately for Yates, his plan backfired and we found clear evidence of his scheme when we arrested him. We hope this sends a clear message to anyone thinking of doing something similar – not only will you lose your job, you could face a prison sentence too.”

The theft was discovered by RSA, following controls identifying issues and customer complaints, which reported it to the Insurance Fraud Enforcement Department (IFED) at the City of London Police in September 2020.

After it was bought to their attention during the peak of the coronavirus pandemic in 2020, RSA researched all of those who had complained and identified that Yates had accessed their records when he was not authorised to do so.

After further enquiries, IFED officers went to Yates’ residence at the time to arrest him. Yates was logged into his work computer and pages of handwritten notes, which contained the details of customers whose accounts he had recently accessed, were found next to the screen.

Officers seized £2,200 in cash, documents containing customer details and a mobile phone from Yates’ address. An examination of the mobile phone found that it contained over 100 images of typed pages of customer details.

Adele Sumner, Head of Counter Fraud & Financial Crime at RSA, UK & International, said:

“We have strong fraud detection and prevention and data security controls at RSA. Where we identify any potential wrongdoing, we’ll investigate and take strong action against those responsible – as demonstrated here – to prosecute and ensure they’re brought to justice.

“RSA was the victim of a crime committed by an employee in this instance and we took swift action to protect our customers. We’re pleased with the outcome of the investigation and today’s judgement and sentencing.”

During his police interview, Yates made no comment other than to confirm his mobile telephone number.