EE data breach ‘led to stalking’
- Published
An EE customer has said she was stalked by an ex-partner who worked at the firm, after he accessed her personal data without permission.
Francesca Bonafede's number was switched to a new handset and her address and bank details were accessed.
She said the company failed to take the data breach seriously and she had to involve police.
EE "sincerely apologised" to Ms Bonafede, and said the employee no longer worked for the company.
'They didn't seem concerned'
Ms Bonafede, from London, told the BBC's Victoria Derbyshire programme she first contacted EE in February 2018 after her phone suddenly stopped working.
After five days with no signal, she was told someone had visited an EE shop, requested a new Sim card and switched the account to a new handset.
When the call centre handler read out the new address registered on the system, she recognised it as that of her ex-partner - who worked at one of the firm's High Street stores.
It could have meant all texts and calls made to her during that period would have gone to him.
"The agent just didn't seem concerned at all," she said.
"I kept asking to speak to a manager who could give me more concrete information, and I was always told no-one was available."
'Endless' texts
Ms Bonafede does not know for sure why her ex-partner wanted to access her account data, but thinks it may have been related to official documents for which he was applying.
She said the man called and texted her "endless times" in an attempt to persuade her to withdraw the complaint, and turned up unannounced with his friends on multiple occasions at her new address.
"It was really distressing and I had to go to the police and tell them what was happening," she said.
"They asked me repeatedly what EE was doing about all this and I just had to say, 'actually, I don't have a clue because they don't keep me updated'.
"The only way he could have known about my new address was through the data breach, because we broke up quite a long time before that."
Ms Bonafede's ex-partner was eventually arrested and given a harassment warning by police before the contact stopped.
Despite being given assurances that EE would investigate, she said it was not until she started publically tweeting about the problem that the company started taking it seriously.
"I spent countless hours at the police station and missed days at work," she said. "He had access to everything: my sort code, my account number, a photocopy of my driver's licence.
"It did put me at risk and I feel all customers should know how poorly something like this will be handled if there is a data breach on their account.
"It was a complete breach of trust. I don't trust the way they handled my data at all."
Internal policies 'not followed'
An EE spokesman said its own internal policies were not followed in this case.
"This matter has been dealt with internally and the employee involved no longer works for us," he said.
"While we worked quickly to protect Francesca, we apologise for not keeping her informed of the actions that we took during this time."
The Information Commissioner's Office said that under the Data Protection Act and GDPR it was "illegal for individuals to access personal data without authorisation".
It said there was also an obligation for companies to ensure data was managed securely, and protect "against unauthorised or unlawful processing and against accidental loss, destruction or damage".
Follow the Victoria Derbyshire programme on Facebook, external and Twitter, external - and see more of our stories here.
- Published15 May 2018