Customers' records have been illegally traded by employees of T-Mobile, according to the mobile operator. The Information Commissioner's Office has reported that millions of records were involved.
The ICO reported earlier today that "substantial amounts of money" have been paid by brokers for the data, which includes the expiry date of agreements customers have with a mobile phone company. The information is used by competitors to offer people deals towards the end of their existing contract.
T-Mobile, part of Deutsche Telekom, said that it had contacted the ICO about the data breach. The company told news agency Reuters that it did so after employees passed the information to third parties "without our knowledge".
The ICO is preparing a file for prosecutors. It has raided a number of premises under search warrant, it said.
Information Commissioner Christopher Graham said that the news is evidence that tough jail sentences are needed for those who make a business out of the illegal trade in personal data.
"The existing paltry fines for Section 55 [of the Data Protection Act] offences are simply not enough to deter people from engaging in this lucrative criminal activity. The threat of jail, not fines, will prove a stronger deterrent," he said.
"We are considering the evidence with a view to prosecuting those responsible and I am keen to go much further and close down the entire unlawful industry in personal data. But, we will only be able to do this if blaggers and others who trade in personal data face the threat of a prison sentence," said Graham, who took up the post in June of this year.
The Government has said that it will introduce increased penalties and jail terms for the most serious breaches of the Data Protection Act (DPA) from April next year.
The Government is consulting on its plan for the maximum jail terms to be set at 12 months for summary conviction and two years for conviction on indictment. It announced last week that it intends the maximum fine to be £500,000.
The ICO's submission to the Government's consultation on jail terms for data breaches says that in the case of the mobile phone data sale "the number of records involved runs into the millions and it appears that substantial amounts of money changed hands".
"More and more personal information is being collected and held by government, public authorities and businesses," said Graham. "In the future, as new systems are developed and there is more and more interconnection of these systems, the risks of unlawful obtaining and disclosure become even greater."
"If public trust and confidence in the proper handling of personal information, whether by government or by others, is to be maintained effective sanctions are essential. This will not only underline the serious nature of the offence but will ensure that those convicted carry a meaningful criminal record," he said. "A custodial sentence will also have the added benefit of making the section 55 offence a recordable one and open up the possibility of extradition in appropriate cases.”