Since more than one year ago, I’ve been getting spam email and cold calls almost every day. As most people do, I just ignore nuisance calls. But these weren’t just dodgy salesman or scammers trying their luck.
Numerous calls were coming from well-respected energy companies, one even came from a large charity. Yet I’d never been a customer and certainly hadn’t signed up for sales calls.
So how on earth had they got my mobile number — and why did they think they had permission to call me?
Victoria Bischoff (Money Mail editor) has struggled with unwanted sales calls for over a year. File picture
Someone must be handing out my contact details — no doubt for a tidy profit — and I wanted to know who.
Follow the trail of mysterious phone pests
The call came in from Scottish Power, while I was on vacation in Devon in October 2020. Surprised to be called on my mobile by a salesman, I sought out the source of my number. However, he did not answer and refused to call me back from the manager.
I might have let it go, but around the same time I was also being bombarded with spam emails from a host of companies I’d never heard of. Job Crown sent eleven emails within three days.
Many had an old postcode in the subject line along with phrases such as ‘urgent employment or ‘applicants requested’.
Another firm, called Super Savvy Me, sent 19 emails — 11 of which were reminding me to confirm my password. But I hadn’t heard of this firm and had not opened an account.
There was something fishy going on so I asked every company how they got my email address. Under data protection laws — General Data Protection Regulation or GDPR — you are entitled to know what data companies hold on you and where they got it from.
You can request this information by making a so-called ‘subject access request’. It is not easy to get answers. It was easy to fall into a rabbit hole.
Consider Job Crown as an example. The email claimed that it was a Prize Reactor company, which in turn stated that it obtained my details through The Secret For You, its partner website.
From there, I was directed to the site owner, Response Concepts — which then pointed me to data collector, Green Flamingo.
Are you still spinning your head?
It was obvious that something wasn’t right when Green Flamingo finally gave me all of its data. It claimed I had participated in two contests organised for a website called The Secret For You — which seems to be an online clothes store.
On October 9th at 5.20 am, one and on Oct 21st at 19.56. There was the first clue that it wasn’t me.
There is no way on earth I’d be awake at 5.20am, let alone messing about on my phone or computer.
The firm also provided two different dates of birth for me — neither of which was close to accurate.
It was more than a decade old. Plus I’d never lived at the house number on record.
Green Flamingo provided two IP addresses. These 12-digit codes identify the device that accessed the internet. After Googling ‘What is my IP address’, I found neither matched my own.
It only had my mobile phone number and email address, so it was limited in its data.
It was clear someone else had entered my details into the website — but who?
Why was it allowed to give my information to anyone on the website?
How to unravel a web of confusion
Green Flamingo said that by providing my data I had also given consent for it to be used for marketing purposes and to be contacted by third parties — which is where Scottish Power came back into the picture.
The energy giant also found my information on The Secret For You.
Scottish Power said it contracts data firms to provide ‘leads’ that give it permission to contact people about its services.
When a user visits a specific website, these leads are created.
It pointed me to Response Concepts, which describes itself as ‘a lead generation agency that acquires opt-in data on behalf of its clients from data collection companies’ — such as Green Flamingo.
One spokesperson suggested that my personal information had been used to sign up for these sites by another person.
My email address is involved in eleven data breaches according to Have I Been Pwned. So it wouldn’t be difficult for someone to find.
I’m not suggesting any of the firms named here are the guilty party. However, it raises concerns about what controls are in place to make sure data is correct and legally obtained prior to being sold.
You have the right to know your rights. Under data protection laws, you can find out what data companies keep about you and where they obtained it.
Moving in circles
Meanwhile, I’d also gone to battle with another energy firm, Utilita, after receiving a call out of the blue in January.
After some back and forth, I received a call from a very friendly man called Ian who works for a firm called Lead365 — which is the data processor responsible for delivering information to Utilita.
Ironically, in order to learn how energy companies got my information, I had strict privacy checks.
This was frustrating because they also had an inaccurate date of birth.
It turns out Utilita had also gathered my information from a number of websites — including, you guessed it, The Secret For You, along with another called ‘hnm.uk-freebies.com’.
Ian said he thought it was most likely that an automated ‘bot’ had scraped information from social media sites to fill in the gaps needed to create a full data profile.
The information may have been merged with my correct data, which includes my phone number, email address and date of birth.
He added it was unlikely someone was doing it to make money as they would only be paid ‘fractions of pennies’ for selling this type of data.
By now, more calls were flooding in and I was also receiving endless emails from a firm called CashbackDiscount — most of which are addressed to someone called Sean Shaw.
However, despite me explaining my identity and not signing up for the service, I received emails for several weeks even after I alerted them.
I pretend to be me but who is it?
Perhaps the most confusing call was from Octopus Energy.
My contact details were provided by Choose Leads lead agency. This claimed that I had participated in an online competition for the chance to win a Kitchen Aid gadget.
I was also told someone had used an Associated Newspapers IP address to access the website, ‘Quiztionnaire’.
However, a quick phone call to IT revealed that the IP address wasn’t ours. Experts tell me IP addresses can be ‘spoofed’, so any computer could have been used to access the website.
Plus, I was in bed that day recovering from Covid, so wasn’t using a work computer to enter online competitions. Also, the address and date of birth registered on this site weren’t correct.
The mistake was later discovered. Octopus said that my details had in fact been entered in a competition to win £500 of North Face vouchers run by data controller Qubiq on February 23.
Further checks revealed the data had been inputted manually rather by a computer bot — which would mean someone is masquerading as me. However, who is this person?
Diabetes UK also called me around the time. It said that it received my data from Membrain, a lead generator. They had found them on a competition site at 3.18AM (!) The same day.
All this is legal?
The General Data Protection Regulation (GDPR), was implemented in 2018. It gives people greater control over the way that organisations use their data.
However, there are still gray areas which can be interpreted. Even if you don’t give consent, your data can still be shared with other parties. Instead, firms can claim they have a ‘legitimate interest’ in doing so.
It is possible for a website competing in a contest to share data legally with partners who are interested in marketing related purposes.
Firms are still obliged to abide by a check list of strict rules — such as ensuring the wording is clear and making it easy to opt out.
They are also not permitted to use pre-ticked boxes or any other method of ‘default consent’ such as vague small print.
Mark Gracey was concerned when I displayed two of the contests I had allegedly entered, but he did not hesitate to express his concerns.
‘There is no obvious way for you to unsubscribe — and GDPR requires opt-out to be as easy as opting-in. The GDPR requires consent to be freely granted and that refusing it is not harmful. So arguably, you should be able to enter the competition without your data being shared,’ he adds.
The Privacy and Electronic Communications Regulations (PECR) prohibit firms from sending marketing messages or making phone calls without your consent.
Those who break the rules face fines of up to £500,000 and company directors can be held personally liable.
The Information Commissioner’s Office logged 60,363 complaints about nuisance calls and texts between April and September, and 130,046 about emails.
It is also stated that the law states that you can request to not be called back, and the company should delete your information from any marketing lists.
Also, you can include your telephone number in the Telephone Preference Service (tpsonline.org.uk).
This means a company cannot contact you unless they have express permission — though this won’t stop calls from fraudsters.
But James Walker, chief executive of Rightly, a firm that helps customers manage their data, says: ‘The Government needs to change the outdated Data Protection Act and force companies to be more transparent about how they use consumer information and to treat personal data more fairly.’
Victoria was sent 14 emails by Super Savvy Me. 11 were reminders to verify her password. She had not heard of it nor created an account.
Was this my result?
After investigating for more than a year, I’m sadly little closer to discovering exactly who has been giving out my contact details.
Subject access requests were generally answered quickly by most firms. They also provided details about how I got my data.
The majority of them reacted to my point that some details had been incorrectly provided and they didn’t know I was giving it out. They said they were doing their best and then went quiet.
You end up getting passed between them, as I have seen.
It’s clear we need far more transparency around how our details are traded. At present, as this sorry saga shows, once your data is out there, it could end up in anyone’s hands.
The firms’ statements
A Scottish Power spokesman says: ‘We treat this matter seriously and therefore would like to thank Mrs Bischoff for bringing this to our attention and we are now carrying out our own investigation’.
A Utilita spokesman said: ‘Our best practice methods far exceed the legal obligations that we are required to meet.’
A Diabetes UK spokesman apologises and says that no one should receive a ‘cold call’ from the charity.
Octopus Energy was provided with my data by Choose Leads. They say they take compliance very seriously and will ensure that any source of data or collection sites comply with ICO guidelines.
Response Concepts says it performs ‘strict due diligence’ on its partners to ensure their methods are reliable — and that what happened to me is rare.
Octopus’s spokesperson said that analysis indicated my data had been collected legally, however the company would no longer renew its contact with telesales agencies after their expiration.
Green Flamingo has not responded to any requests for comment.