A former British Gas employee is facing prison after admitting to stealing and selling customer data worth around £45K. Over a six-month period, he accessed the details of around 1,700 customers, including names, addresses, dates of birth and energy usage, and sold them to a marketing company.

The case is significant not only because of the scale of the insider abuse but also because of how it is being prosecuted. The individual has been convicted under both the Data Protection Act 2018 (DPA) and the Theft Act 1968. This is unusual: Personal data isn’t generally treated as “property” under the Theft Act. However, where physical or digital files are taken, courts may treat those as property and that’s exactly what happened here.

Because magistrates’ courts can only impose custodial sentences of up to 12 months, the case has been sent up to the Crown Court for sentencing later this year. The Theft Act conviction means that, unlike the DPA alone, a prison sentence is firmly on the table.

Why this matters: The insider threat in practice

This is a textbook example of the insider threat. The employee in question wasn’t an external hacker breaking through firewalls. Rather, he was a call centre worker with legitimate access. His role required him to verify customer details and with that access he was able to slowly and quietly transfer out large volumes of sensitive data.

British Gas only realised what was happening when customers began reporting suspicious cold calls linked to their account details. An internal investigation led to reporting the issue to the ICO, and eventually to prosecution.

The legal and regulatory angles

From a legal perspective, this case shows that UK authorities are willing to get creative in pursuing data criminals. Using the Theft Act alongside the DPA reflects the seriousness of the conduct and the financial gain involved. The Crown Court may also seek recovery of the £45K under the Proceeds of Crime Act 2002.

So far, British Gas itself has avoided regulatory fines. The ICO tends to reserve penalties for organisations that fail to put appropriate measures in place. Initial indications are that British Gas had controls and cooperated with the authorities. Civil claims from customers are still possible.

The DUAA 2025: Raising the stakes

This case also lands at a pivotal moment. With the Data (Use and Access) Act 2025 (DUAA) now in force, organisations are operating in a new regulatory environment. 

The DUAA:

• expands the powers of the UK’s data regulator, now a board-led Information Commission, with stronger investigative and enforcement tools 
• embeds a tougher stance on breach reporting, aligning with the 72-hour rule under PECR 
• signals increased accountability for both organisations and individuals when personal data is misused 

Against this backdrop, the British Gas case is a cautionary tale. Insider abuse may be old news, but the regulatory response is evolving rapidly. The DUAA means that organisations can expect more scrutiny, faster intervention and greater pressure to demonstrate that insider risk is being actively managed.

Key takeaways

What can privacy and compliance professionals learn from this case?

• Zero-trust applies inside too. Apply least-privilege principles and use access controls that adapt to context. 
• Detect the unusual. Monitoring tools should flag large downloads, odd access times, or screen scraping activity. 
• Limit exposure. Tokenise or mask personal data so staff only see what they truly need. 
• Know your people. Vet staff before hiring, re-check periodically, and provide regular training on data ethics. 
• Act quickly. If a breach occurs, rapid reporting to the ICO (which is what British Gas did) can reduce regulatory fallout. 

The DUAA underscores a reality we’re already seeing play out in the courts: Data misuse will be pursued with greater determination and broader legal tools than ever before. The British Gas insider may be just one employee but the consequences for both him and his employer are a stark reminder that data protection isn’t just about compliance checkboxes. It’s about building a culture of trust, vigilance, and accountability. In 2025, regulators and courts are watching more closely than ever.

The Data (Use and Access) Act 2025 has introduced the most significant changes to UK data protection since UK GDPR came into force. While the DUAA does not replace the UK GDPR, DPA 2018, or PECR, it fundamentally reshapes how organisations process personal data, manage subject access, handle cookies, and apply legitimate interests. Our guide, Data (Use and Access) Act 2025: What you need to know, explains what’s changing, what’s staying the same, and how your organisation can prepare.

Don’t miss our one-hour live webinar, where VinciWorks compliance experts break down the practical impact of the DUAA on your data protection strategy. We’ll cover how you can adapt existing GDPR and DPA 2018 compliance frameworks, avoid missteps and ensure your organisation is prepared for the future of data protection. Register here.