Since more than one year ago, I’ve been getting spam email and cold calls almost every day. As most people do, I just ignore nuisance calls. But these weren’t just dodgy salesman or scammers trying their luck.

Numerous calls were coming from well-respected energy companies, one even came from a large charity. Yet I’d never been a customer and certainly hadn’t signed up for sales calls.

So how on earth had they got my mobile number — and why did they think they had permission to call me?

Victoria Bischoff (Money Mail editor) has struggled with unwanted sales calls for over a year. File picture 

Someone must be handing out my contact details — no doubt for a tidy profit — and I wanted to know who.

Follow the trail of mysterious phone pests

The call came in from Scottish Power, while I was on vacation in Devon in October 2020. Surprised to be called on my mobile by a salesman, I sought out the source of my number. However, he did not answer and refused to call me back from the manager.

I might have let it go, but around the same time I was also being bombarded with spam emails from a host of companies I’d never heard of. Job Crown sent eleven emails within three days.

Many had an old postcode in the subject line along with phrases such as ‘urgent employment or ‘applicants requested’.

Another firm, called Super Savvy Me, sent 19 emails — 11 of which were reminding me to confirm my password. But I hadn’t heard of this firm and had not opened an account.

There was something fishy going on so I asked every company how they got my email address. Under data protection laws — General Data Protection Regulation or GDPR — you are entitled to know what data companies hold on you and where they got it from.

You can request this information by making a so-called ‘subject access request’. It is not easy to get answers. It was easy to fall into a rabbit hole.

Consider Job Crown as an example. The email claimed that it was a Prize Reactor company, which in turn stated that it obtained my details through The Secret For You, its partner website.

From there, I was directed to the site owner, Response Concepts — which then pointed me to data collector, Green Flamingo.

Here are five tips for protecting your information 

1. Use two emails

You can create a second email address to shop online or register for services. Only a handful of companies will have your primary address.

2. Opt out 

You should opt out of marketing communications with any firm you don’t want to hear from. You can opt out of marketing communications with any firm through the Telephone Preference Service or Direct Marketing Association.

3. Minimise cookies

Cookies are required to be accepted when you first visit a site. Some of these are necessary, like ‘functional’ cookies that store login details, but many share your personal information. Choose the smallest option.

4. This is the name of it 

Don’t misspell or capitalize your name when you share data with sites that concern you. It is much harder for fraudsters to steal your identity this way.

5. Keep data 

Only fill out essential fields in online forms so less information is at risk and avoid ticking the ‘third parties box’ that allows firms to share your data.  

Are you still spinning your head?

It was obvious that something wasn’t right when Green Flamingo finally gave me all of its data. It claimed I had participated in two contests organised for a website called The Secret For You — which seems to be an online clothes store.

On October 9th at 5.20 am, one and on Oct 21st at 19.56. There was the first clue that it wasn’t me.

There is no way on earth I’d be awake at 5.20am, let alone messing about on my phone or computer.

The firm also provided two different dates of birth for me — neither of which was close to accurate.

It was more than a decade old. Plus I’d never lived at the house number on record.

Green Flamingo provided two IP addresses. These 12-digit codes identify the device that accessed the internet. After Googling ‘What is my IP address’, I found neither matched my own.

It only had my mobile phone number and email address, so it was limited in its data.

It was clear someone else had entered my details into the website — but who?

Why was it allowed to give my information to anyone on the website?

How to unravel a web of confusion

Green Flamingo said that by providing my data I had also given consent for it to be used for marketing purposes and to be contacted by third parties — which is where Scottish Power came back into the picture.

The energy giant also found my information on The Secret For You.

Scottish Power said it contracts data firms to provide ‘leads’ that give it permission to contact people about its services.

When a user visits a specific website, these leads are created.

It pointed me to Response Concepts, which describes itself as ‘a lead generation agency that acquires opt-in data on behalf of its clients from data collection companies’ — such as Green Flamingo.

One spokesperson suggested that my personal information had been used to sign up for these sites by another person.

My email address is involved in eleven data breaches according to Have I Been Pwned. So it wouldn’t be difficult for someone to find.

I’m not suggesting any of the firms named here are the guilty party. However, it raises concerns about what controls are in place to make sure data is correct and legally obtained prior to being sold.

Know your rights: Under data protection laws you are entitled to know what data companies hold on you and where they got it from

You have the right to know your rights. Under data protection laws, you can find out what data companies keep about you and where they obtained it.

Moving in circles

Meanwhile, I’d also gone to battle with another energy firm, Utilita, after receiving a call out of the blue in January.

After some back and forth, I received a call from a very friendly man called Ian who works for a firm called Lead365 — which is the data processor responsible for delivering information to Utilita. 

Ironically, in order to learn how energy companies got my information, I had strict privacy checks.

This was frustrating because they also had an inaccurate date of birth.

It turns out Utilita had also gathered my information from a number of websites — including, you guessed it, The Secret For You, along with another called ‘’.

Ian said he thought it was most likely that an automated ‘bot’ had scraped information from social media sites to fill in the gaps needed to create a full data profile.

The information may have been merged with my correct data, which includes my phone number, email address and date of birth.

He added it was unlikely someone was doing it to make money as they would only be paid ‘fractions of pennies’ for selling this type of data.

By now, more calls were flooding in and I was also receiving endless emails from a firm called CashbackDiscount — most of which are addressed to someone called Sean Shaw.

However, despite me explaining my identity and not signing up for the service, I received emails for several weeks even after I alerted them.

I pretend to be me but who is it?

Perhaps the most confusing call was from Octopus Energy.

My contact details were provided by Choose Leads lead agency. This claimed that I had participated in an online competition for the chance to win a Kitchen Aid gadget. 

I was also told someone had used an Associated Newspapers IP address to access the website, ‘Quiztionnaire’.

However, a quick phone call to IT revealed that the IP address wasn’t ours. Experts tell me IP addresses can be ‘spoofed’, so any computer could have been used to access the website.

Plus, I was in bed that day recovering from Covid, so wasn’t using a work computer to enter online competitions. Also, the address and date of birth registered on this site weren’t correct.

The mistake was later discovered. Octopus said that my details had in fact been entered in a competition to win £500 of North Face vouchers run by data controller Qubiq on February 23. 

Further checks revealed the data had been inputted manually rather by a computer bot — which would mean someone is masquerading as me. However, who is this person?

Diabetes UK also called me around the time. It said that it received my data from Membrain, a lead generator. They had found them on a competition site at 3.18AM (!) The same day.

These major companies are examining our credit scores. 

Weexpect companies to search our credit files when we apply for a loan or insurance quote — but why are they searching the records of people who aren’t their customers?

I tried to answer this question after discovering a host of insurers I’d never used had accessed my credit file multiple times over an 18-month period.

They all performed ‘soft searches’, where firms check your file to see your credit rating or verify your identity without it affecting your score.

Under Data Protection Act rules, everyone has a right to know what data is being collected about them, how it is used and whether it is shared with third parties

Data Protection Act Rules give everyone the right to see what data has been collected, used, and shared with whom according to their rights.

Experian credit agency contacted me on my behalf and asked why they were checking my file. However, the insurance companies deleted my search records without saying anything.

Data Protection Act rules allow everyone to access the data that is being collected.

After approaching the AA, I was finally told it had been given my information by comparison site Moneysupermarket — which I hadn’t used in years.

The same was true for Insurer First Central. Therefore, I filed a Subject Access Request to Moneysupermarket for information about me. 

Eventually, I received documents showing it held a record of the main details of my personal life going back to 2010, including everywhere I had lived, cars I’d owned, my jobs, salaries, education status and even whether I was single.

Most of this data was based on searches I’d made more than five years ago — but after yet more identity checks, it turned out my husband used the site to search for car insurance in 2019 and listed me as a named driver.

Customers are required to agree to the terms and conditions of this site when they use it. 

But many won’t realise that by doing so the firm can hold, access and share your data for years after, even if you do not buy a policy. Moneysupermarket’s terms are in the small print of an 8,000-word privacy policy.

Martyn Jam, an expert on consumer rights, says insurers are extremely valuable with our data. ‘It helps them target customers to market products but it also helps them profile drivers to refine their premium pricing,’ he explains.

A spokesperson says: ‘We place the highest importance on our customers’ privacy . . . It is down to the primary policyholder inputting additional driver details to seek consent for the additional data.’

All this is legal?

The General Data Protection Regulation (GDPR), was implemented in 2018. It gives people greater control over the way that organisations use their data.

However, there are still gray areas which can be interpreted. Even if you don’t give consent, your data can still be shared with other parties. Instead, firms can claim they have a ‘legitimate interest’ in doing so.

It is possible for a website competing in a contest to share data legally with partners who are interested in marketing related purposes.

Firms are still obliged to abide by a check list of strict rules — such as ensuring the wording is clear and making it easy to opt out.

They are also not permitted to use pre-ticked boxes or any other method of ‘default consent’ such as vague small print.

Mark Gracey was concerned when I displayed two of the contests I had allegedly entered, but he did not hesitate to express his concerns.

‘I would say the fact that they want to share your data with third-parties that don’t necessarily relate to the competition is not clear and relies on you to specifically read their privacy policy,’ he says.

‘There is no obvious way for you to unsubscribe — and GDPR requires opt-out to be as easy as opting-in. The GDPR requires consent to be freely granted and that refusing it is not harmful. So arguably, you should be able to enter the competition without your data being shared,’ he adds.

The Privacy and Electronic Communications Regulations (PECR) prohibit firms from sending marketing messages or making phone calls without your consent. 

Those who break the rules face fines of up to £500,000 and company directors can be held personally liable.

The Information Commissioner’s Office logged 60,363 complaints about nuisance calls and texts between April and September, and 130,046 about emails.

It is also stated that the law states that you can request to not be called back, and the company should delete your information from any marketing lists.

Also, you can include your telephone number in the Telephone Preference Service (

This means a company cannot contact you unless they have express permission — though this won’t stop calls from fraudsters.

But James Walker, chief executive of Rightly, a firm that helps customers manage their data, says: ‘The Government needs to change the outdated Data Protection Act and force companies to be more transparent about how they use consumer information and to treat personal data more fairly.’

A firm called Super Savvy Me, sent Victoria 14 emails - 11 of which were reminding her to confirm her password. Yet she had never heard of the firm nor opened an account

Victoria was sent 14 emails by Super Savvy Me. 11 were reminders to verify her password. She had not heard of it nor created an account.

Was this my result?

After investigating for more than a year, I’m sadly little closer to discovering exactly who has been giving out my contact details.

Subject access requests were generally answered quickly by most firms. They also provided details about how I got my data. 

The majority of them reacted to my point that some details had been incorrectly provided and they didn’t know I was giving it out. They said they were doing their best and then went quiet.

You end up getting passed between them, as I have seen. 

It’s clear we need far more transparency around how our details are traded. At present, as this sorry saga shows, once your data is out there, it could end up in anyone’s hands.

The firms’ statements

A Scottish Power spokesman says: ‘We treat this matter seriously and therefore would like to thank Mrs Bischoff for bringing this to our attention and we are now carrying out our own investigation’.

A Utilita spokesman said: ‘Our best practice methods far exceed the legal obligations that we are required to meet.’

A Diabetes UK spokesman apologises and says that no one should receive a ‘cold call’ from the charity.

Octopus Energy was provided with my data by Choose Leads. They say they take compliance very seriously and will ensure that any source of data or collection sites comply with ICO guidelines.

Response Concepts says it performs ‘strict due diligence’ on its partners to ensure their methods are reliable — and that what happened to me is rare.

Octopus’s spokesperson said that analysis indicated my data had been collected legally, however the company would no longer renew its contact with telesales agencies after their expiration.

Green Flamingo has not responded to any requests for comment.

Affiliate links may appear in some of the links. Clicking on these links may result in us earning a small commission. This is money helps fund it and we keep it for free. Our articles aren’t written for the purpose of promoting products. Our editorial independence is not affected by any commercial relationships.