A man who unlawfully accessed personal data has been sentenced after our investigation.
Jonathan Riches, 46, pled guilty to an offence under section 55 of the Data protection Act 1998 at Cardiff Crown Court. The court heard Riches had illegally accessed motorists’ details from Enterprise Rent-A-Car and who would pursue personal injury claims for financial gain.
Her Honour Judge Francis handed down the sentence to Mr Riches of a fine of £10,000, plus costs of £1,700
The offences were committed between 2009 and 2011. Mr Riches had previously been an employee of Enterprise Rent-A-Car, then left in 2009 to set up his own personal injury firm. He was still in contact with former colleagues, and through this would illegally obtain the details of those involved in road traffic accidents then contact them offering legal services. At one point, Mr Riches, through his accomplices, had access to the internal Enterprise database allowing him to access the personal details of clients.
He had previously been ordered to pay Enterprise Rent-A-Car a £300,000 civil settlement, then was interviewed by our criminal investigations team the following year. He was first summonsed to appear in court in 2016. However, he had already relocated to the United States, therefore he failed to appear in court. A warrant was then issued for his arrest. He returned and surrendered himself to authorities in 2024.
Andy Curry, our Head of Investigations, said:
“We are pleased to see justice has been served in this case. Mr Riches spearheaded a brazen operation, through his accomplices illegally accessing Enterprise Rent-A-Car systems in order to steal data which he then used to enrich himself to the tune of hundreds of thousands of pounds.
“His scheme, which involved the unauthorised use of people’s personal data, was not only illegal, but it also meant people received nuisance calls asking them if they wanted to make a personal injury claim.
“The sentence delivered today demonstrates justice in this case, despite the prosecution and sentencing being delayed for a significant period by the defendant relocating to the USA.
“We would like to extend our thanks to Enterprise Rent-A-Car who informed the ICO of the breach as soon as they were aware of it due to the measures they have in place to avoid and mitigate the actions of those who commit criminal offences and for their support in this case.”
Mr Riches’s accomplices in the crimes, Jamie Leong, Michelle Craddock and Andrew Minty, were all previously sentenced. . The Judge told Riches it was a sophisticated and long-running agreement which involved a cynical breach of trust. The Judge ruled that this must be paid within 12 months, or will default to a custodial sentence of nine months.
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use, and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to ico.org.uk/concerns.