Chris Oliver from Fix Auto Dagenham writes the London Calling column in Paint & Panel magazine. What happens there almost always happens over here so keep your customer data safe.This column was first printed in July 2017.
Cyber security. Big yawn. Turn page. Move on. A year or so ago, I would have been right with you. The real story here is not about cyber security, it’s about plain old fashioned criminal thieves.
This issue is criminal theft of personal, in this case policyholders', data. It is dressed up as intellectual property fraud (IPF) or virtual fraud, or some other current buzz word that a 19-year-old geek has dreamt up.
In plain English it is downright rotten scumbags nicking things that do not belong to them. It has drifted under the radar because it is 'online'. Cobblers, if someone gets into your systems - what is the difference between that and throwing a brick through your car window or smashing your patio doors in?
In the UK there has been a spate of thefts of policyholders’ personal data, which is then sold on to third party accident managers who in turn carry out so-called nuisance calls.
All sectors of the industry have been hit – car hire companies, insurers and, critically, repairers. Of course, everyone is keen to find a scapegoat. Guess who gets the finger pointed at them? Correct. It must be those horrible repairers.
Imagine this regular scenario. Mr Brown crashes his car. It’s immobile and the emergency services are involved. First on scene are the ambulance service, followed by police, in parallel with fire.
In the meantime, on Mr Brown’s smartphone, he’s told his insurer and all his friends on Facebook, Twitter and Instagram. Then a recovery company arrives.
It’s Sunday, so the car is towed to a storage pound. Monday, another recovery company drags it out and takes it to a repairer. The repairer estimates it. Now it gets interesting.
The insurer mandates a system for that. The insurer probably mandates a part or parts supplier too. The suppliers ‘intercept’ the estimate, tweak the parts and let the estimate wing its way to an insurer.
The car is damaged heavily so an independent engineer is instructed. In the event, the car is a total loss so another agent collects it and off it goes to a salvage agent, who, in all likelihood advertises it on a website.
From a rough calculation I conclude there are around 15 different organisations that have seen Mr Brown’s personal details. But of course, any leak is the fault of the repairer, isn’t it? So that is an information chain and, in case you missed it, also my feeble attempt at irony.
Why is this happening now? Here’s my hypothesis. In 2012, the UK government was ‘concerned’ about the rising price of car insurance premiums.
They instructed a regulator, the Competition and Markets Authority (CMA) to carry out a review. What the CMA did conclude was all insurers ‘earned a rent’ from claims.
That is to say they sold data, which is not illegal if you have the individual’s permission. The regulator did stir up a hornet's nest and for a while premiums fell.
I am a lone voice in the wind here, but I actually believe premiums are too cheap. The effect many believe that it had was it forced sectors of the industry to look at other ways to make a profit. Nothing wrong with that.
And to be clear, before the lawyers hit me and Sam, I am explicitly not saying insurers sell data, legally or otherwise, just that the pressure is there.
What we are seeing with the prosecutions so far are individuals stealing data and selling it on. We are not seeing at the moment any systematic abuse by organisations.
Will that come further down the road? I don’t know. But examples of corporate abuse have been uncovered in the past on other unrelated matters.
This evil spot will come to a head and burst soon - everyone agrees although no one knows when. There is a great deal of chatter as to how to resolve it.
The barrier seems to be that everyone in that long information chain needs customer data.
But do they? Do they really? Why not simply delete any reference to customers’ personal details and not let them travel unprotected through cyber space?
It doesn’t need to go to a parts supplier who wants to sell the insurer pattern parts. It doesn’t need to be in the estimate. There are loads of others in the chain who do not need it.
Will we get there? I doubt we will any time soon. But in the meantime there is a lot of pain to bear.
And once this hits the press, we will be forced come up with a solution to fit it. In the meantime, just keep blaming those horrible repairers.