Michael and Jan Reed can remember the moment their family business received its first indelible blow. It was 2015 and three of their regular customers were standing in the reception of their accident repair centre in County Durham. It had been a busy period and, unusually, all three had come to collect their cars at the same time.
One had got a call from an accident management company trying to persuade him to make a personal injury claim. Unusually, the caller knew the make and model of the car and the date of the accident. The second man said the same had happened to him. By the time the third customer confirmed he had also got the cold call, the three of them were pulling out their phones.
“One of the guys said: ‘Well, what number was it?’”, says Jan, brow furrowed at the memory. “They were just getting the mobiles out and saying this number, and then asking me if I knew it. I said: ‘No, I don’t know that number at all’. And they asked: ‘Well, where did they get it from?’”
The men did not have insurance with the same company, had used different brokers and their accidents were unconnected. “And then all three of them turned around,” says Michael. “They went: ‘Well, it must be you guys.’”
Cold callers are a nuisance, whether they are asking about repairs to your property or trying to persuade you to make a personal injury claim. But what happens when those calls threaten to bring down your business?
Last month, after a 10-year investigation, eight men were convicted for their part in a conspiracy that ran one of the biggest nuisance call operations seen in the UK. The people who precipitated their downfall? A husband and wife from County Durham, who just wanted to protect their business.
The 10-week trial at Bolton crown court, which brought to an end the largest investigation into cold calls carried out in the UK, shed light on a murky world.
A jury found Craig Cornick, 40, a well-known businessman in the north-west, guilty of stealing personal data, having earlier found him and Thomas Daly, 35, not guilty of hacking into computer systems. Daly had previously pleaded guilty to two counts of conspiring to steal personal data. Of the six remaining men, all admitted stealing data, and four admitted hacking into computer systems.
The names, numbers and details of people involved in accidents may seem like rows on a spreadsheet, but they provide lucrative spoils. That information is sold to claims management firms hoping to generate leads for personal injury cases.
The cold-calling gang targeted a million people and hundreds of accident repair garages between 2014 and 2017, according to the Information Commissioner’s Office (ICO).
The Reeds’ role in exposing them starts almost a decade ago, in 2015.
The couple run Alan Reed Ltd, set up by Michael’s father in 1970 and joined by Michael when he left school at 15. It is a family effort: Jan is in charge of customer care, her daughter Debbie does the accounts, and Michael’s daughter Megan works in parts.
After the painful confrontation with their three customers, the complaints kept coming, and the couple worried about their reputation. “You get upset,” says Jan. “Then we got quite angry about it, didn’t we? Thinking, well, we’re not to blame. We used to talk about it all the time. We were just going inside out with it.”
They were not naive about data. They worked with bluechip insurance companies, and underwent training in how to protect personal information. They got their centralised IT car logging system, used widely in the industry, inspected twice, but were told nothing was wrong. They trusted their 40 staff – they had known half of them since they started as apprentices – but thinking they were the only garage affected, they started to wonder if they had been betrayed.
After months of complaints, they had had enough. Michael remembers the exact moment. The couple were in the car and Jan was upset. “I said: ‘I can’t do this any more, we’ve got to do something’,” she recalls. But then she had a thought. “I said: ‘How about we put our information into the computer?’ And Michael said: ‘Right. We’ll give it a go.’”
They input their own numbers in spring 2016, alongside details of fictional accidents, and waited. At first, nothing happened. But then, 11 days later, Michael’s phone started ringing. “I literally walked through to say: ‘Jan, I’ve got somebody on the phone’,” at the same time Jan’s phone rang, says Michael. “I said: ‘Just go and answer it,’ and then we looked: it was the same number.”
Michael spoke to the cold caller, asking if they knew the date he’d had an accident. When they confirmed the date, they put him through to a solicitor. Michael eventually made his excuses and ended the call. After a letter from the solicitors arrived, they were ready to go to the authorities.
“Obviously, we thought it was going to be over in weeks,” says Michael. “We didn’t think it was going to be nearly 10 years.”
Andy Curry is the head of investigations at the ICO, which investigated and prosecuted the criminal case under powers bestowed by data protection legislation. He is not an excitable man, but when he talks about the scale of Operation Pelham, as the investigation was named by the ICO, his eyes light up. “This is the biggest criminal investigation and prosecution the ICO has ever undertaken,” he says.
Thanks to the information provided by the Reeds, alongside hundreds of other garages, ICO criminal investigation officers carried out nine raids in Macclesfield and Manchester in 2016. They seized 241,000 emails, 4.5m documents, 144,000 spreadsheets, 1.5m images and 83,000 multimedia files.
Among the devices taken was an iPhone, which, according to the ICO’s prosecuting barrister, “opened Pandora’s Box” and provided “a clear window into the extent of the criminality” of the gang.
Curry says: “We uncovered a vast, murky criminal network where crash details were stolen from garages across England, Scotland and Wales and traded to fuel distressing predatory calls. It was an enormous and complex case.”
after newsletter promotion
Did it make these men rich? “We think over £3m has been obtained through this activity,” says Curry. “So, a fairly significant amount of money.”
Evidence put before the jury painted a picture of a group of men who thought they were untouchable, boasting in texts about the personal data they could obtain.
In a conservation from September 2016, one asks: “Do you still get insurance data? I have someone interested in purchasing off you on a weekly basis bro.” The reply came 29 minutes later: “Don’t have anything for sale atm bro but just got a new kid who can get me anything I want from anywhere so soon as he up and running will let u know bro.” A few minutes later there was another reply: “Decent u data King now haha.”
Another key piece of evidence came in the form of a selfie video, filmed by Mark Preece, who admitted conspiring to hack computer systems and steal personal data. “I’ve got the full garage list. I’ve got all the passwords for everything,” he says. “All the data […] I’m going to be rich, well, I am rich.”
Curry says the messages were a crucial aspect of building the case. As for the video, it was a gift. “When you watch this you think, how stupid do you have to be to film yourself basically admitting to a criminal offence on this large scale?” he says. “But great for us.”
Some of the men said they were involved in legitimate businesses. Thomas Daly and Adam Crompton, the directors of a now-dissolved company called Cheshire Finance UK, listed under “call centres” on Companies House, had used their company to mask the “purchase, sale and harvesting of unlawfully obtained data”, the ICO argued in court.
Cornick is listed as a director of 15 businesses on Companies House since 2013; nine have been dissolved, two liquidated and four are active. His listed address, a large mock Tudor residence with an electric gate and prominent CCTV, is in Prestbury, an affluent village in Greater Manchester known for its mansions owned by footballers and millionaires.
In a statement after his conviction, Cornick said that during the period on which the trial focused “data trading was a common industry practice” before regulations were tightened, “reinforcing the need for businesses to closely scrutinise where their data originates”. He was “relieved” to be cleared of computer hacking, but rejected “any notion of wrongdoing” and said he would appeal against his conviction.
There has been a clampdown on cold callers in recent years. The UK moved to ban cold calls offering financial products in 2023, so anyone being contacted out of the blue can assume they are a scam. But people are still bombarded with billions of unwanted calls every year. According to data from Hiya, a spam blocker service, UK residents received an average of three spam calls a month between January and June last year, equating to about 195m spam calls in the UK every month.
Despite taking almost 10 years, Operation Pelham is not over. The ICO confirmed that one man, 33-year-old Jamie Munro, who is wanted on three counts related to the case, has disappeared and is thought to be overseas. And a second phase of the investigation is looking into the role of people in insurance firms and claims management companies. Curry says the ICO will continue in its efforts to “untangle this web of illicit data trade. We will be relentless.”
So what now? What consequences will this “vast, murky criminal network” face? The ICO says it will go after any proceeds of crime; it will probably also push for a red flag to be placed on each of the conspirators, preventing them from becoming directors of companies in the future.
However, all of the men are likely to avoid prison when they are finally sentenced next April. Offences under the 2018 Data Protection Act, including stealing data, are punishable by fines. Those convicted of hacking under the Computer Misuse Act will probably receive suspended sentences. “We have no involvement in sentencing,” the ICO’s legal team said. “The court must sentence within the confines of the maximum sentence available in law.”
Since it began, Operation Pelham has swallowed hundreds of hours of investigators’ time. Asked why it took so long, the ICO said it was a complex case, and had been affected by the pandemic and a year-long adjournment. As to how much it cost, the body said it was carried out as part of its normal regulatory functions. “We do not record costs for specific investigations,” a spokesperson said.
Back in County Durham, the Reeds say they are proud of the role they played, but mostly they just want to get on with their lives. “Businesses like ourselves are the backbone of this country. We need to stand up for ourselves and not get swallowed up,” says Michael. He shows a black and white picture of his parents, smiling outside the original garage. “When you’ve been going for 55 years and you look at all the different things you’ve dealt with, well, this is just something in that timeline,” he says. “It’s been dealt with, we’ve dealt with worse. Everything we do is challenging – if it was easy, I don’t think it would suit the Reed family.”