Ex-employee steals client database ‘and another local agent is using it’ – claim

A former employee of Martin & Co in Croydon has been accused of stealing the firm’s client database and handing it to a competitor agency in the local area.

An email sent to the company’s co-director Paul Maruna yesterday set alarm bells ringing, as it led to the realisation that the database had been potentially stolen.

Peter Brown, co-director, contacted EYE last night to explain what had happened.

He said: “My business partner received a curious email on his work account from one of our competitors yesterday asking about the management of his property portfolio and saying they were following up a previous contact with him. He thought it strange as doesn’t have a property portfolio, has never owned a property in our area and has never been in contact with the agent in question.

“A couple of hours later the business manager for a landlord based in Kuwait called to ask if we knew the person who had emailed my partner as the landlord had also received an identical email. The penny began to drop, I checked our database and my partner’s details were on there with his work email address due to an historic technicality.

“I then emailed our landlord database to ask whether anyone else had received the same email and within a few minutes several people came back to me to say they had and also confirmed no previous contact with the agent. No coincidence then.

“I emailed the senior letting manager at the firm in question asking them to desist on the threat of legal action but got an out of office reply. About five minutes later I got a call from him though.”

Brown, who has previously worked for Connells, Haart and Andrews Estate Agents, was surprised to find that the letting manager of the other firm did not deny the accusations being aimed at him and his company.

Brown continued: “He didn’t deny my allegation that they had come by this information illegally but did go on to say they would cease any contact with our clients. Hmmm.

“This is one of the most shocking and blatant attempts to try and destroy a competitor’s business I have come across in over 30 years of estate agency.  I am used to the usual rough and tumble but this?

“I have emailed the director of the firm in question for an explanation but none has been forthcoming unsurprisingly.

“My partner has raised a subject access request to establish how and when they came by his details as there is an obvious GDPR breach here also. It will be interesting to see if that merits a reply.”

Homesearch EOS

Email the story to a friend


  1. smile please

    Sadly this happens fairly regularly. Employee leaves takes a copy of the database.


    Frustrating but sadly all too common.

    1. CountryLass

      I’ll usually take a ‘souvenir’ from a work place, name tag, something small like that, but it would never occur to me to take client details!

      I mean, at my last place I did take a document I had made with contact details for utility companies etc, all information that I could have found again, but it would have been a pain in the bum. I left it there as well, I just emailed a copy of it to myself.

      1. PeeBee

        “I mean, at my last place I did take a document I had made with contact details for utility companies etc, all information that I could have found again, but it would have been a pain in the bum”

        Consider yourself forgiven, CL – and if the boys in blue do come knocking at your door, tell ’em yer old mate PeeBee says you’ve been let off with a caution! ;o)

        1. CountryLass

          Thanks PB, you’re a star!


  2. Eyereaderturnedposter12

    We had a very similar scenario a couple of years ago…the breach was formally reported to the ICO, with supporting evidence (being confirmed reports from a number of clients, in writing- including the emails sent from the ex-staff member explaining that she’s moved to a different firm and took client information with her!) as being a clear breach of GDPR by one individual and ex-employee.
    The ICO was entirely disinterested, and responded with a “stock” response, stating they will keep the report of the matter on file for training and informational purposes…but will not act, or even make contact with the individual in question.
    Conversely, the number of management candidates I’ve had sit in front of me for the final interview stage, and openly offer their current firm’s client to list to me, if they get the job…is not an insignificant number. I end the interview then and there, and explain that they have been been unsuccessful as they clearly lack even an iota of professional integrity!    

    1. Mrlondon52

      These people are clearly so stupid they should never be hired just on intellectual ability, never mind integrity.

    2. PeeBee

      And to think someone’s given this a “thumbs down”.

      Must be one of those unemployables you’ve kicked out of the interview room, Eyereaderturnedposter12…

      1. Eyereaderturnedposter12

        I suspect it’s more of a general personality based dislike 😉
        I don’t give a thumbs down to comments generally Peebee…I prefer sensible debate/discussion, and it’s (for the most part) interesting and enlightening…

  3. AlwaysAnAgent

    If the employer has managed this correctly, why not enforce the employment contract? In the contract there are clauses that cover non-solicitation and confidentiality. These are enforceable.

    Instead of talking to PIE, the agent should do everything in his power to protect his clients details which are now being abused. He should instruct a solicitor to enforce the employment contract which, if he chooses, may include a claim for damages. A loose promise from the data thief is not very reliable.

    I assume the agent either didn’t have an employment contract in place, or simply does not want to spend money on legal feels to protect his clients’ data. Fighting back against this is the only way to prevent damage to his business.

    1. Eyereaderturnedposter12

      That all sounds well and good (In an ideal world!)…
      However, the matter comes down to simple arithmetic:
      -Has there been a tangible loss to your business,  through this data theft?
      -If yes, what is the cost of that loss?
      -What will the cost of pursuing this loss (that is to say does the cost of pursuit outweigh the cost in terms of lost business/ “goodwill”?
      -You also seem to fail to take into account the prospect for success, which is by no means assured. 
      -The penalty? A small fine (if any) and a “slap on the wrist” and peppercorn amount to the claimant.
      From experience, the cost of pursuing via lawyers worth their salt, will likely be significantly higher than the loss incurred through the breach (if your clients are satisfied with the service you’ve been providing, that is!)…which rather renders the pursuit slightly pointless.
      As for reporting the breach via the official channels (ICO)…Good luck with that, unless you’re Google or Three, they’re not hugely interested.  

      1. Woodentop

        Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998 as amended 2018.  
        A word of warning to employers …..  
        The UK Supreme Court’s decision in 2020 in the case of Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12 confirmed that that an employer cannot be held liable for actions of an employee who commits an illegal act in pursuance of their own independent venture that is unrelated to activities they are authorized to undertake on behalf of their employer. While this decision will give some comfort to employers, companies nonetheless risk very significant revenue-based fines and claims for compensation by data subjects if personal data is not sufficiently protected by adequate safeguards.

  4. AlwaysAnAgent

    The action that you took when it happened to you wasn’t effective, you said that yourself.


    The only effective way is to bite the bullet and spend money. If you’re not that way inclined, that’s fair enough. I would personally fight for my clients. You’re right in that it’s a commercial decision, and the costs have to be weighed against the benefits, but isn’t that the same with every decision we make?

    1. Eyereaderturnedposter12

      It’s important to understand that there’s two issues here, that have differing processes and remedies attached to them:
      1) GDPR breach- The appropriate channel/body to address this is via ICO. 
      2) Bringing a commercial (or in certain instances a private) litigation against the individual involved. This would be seeking compensate for and relating to loss (tangible and provable).
      Hypothetical question: –
      What remedy would you seek from the Court via commercial litigation in such an event (bearing in mind the individual you’ll be pursuing will sit within an annual income range of probably £30-£50k)?
      -What would you expect the Court to realistically order in the judgement, were you successful.  
      It really isn’t as “open and shut” as your comments seems to suggest. The idea is all very noble, and I absolutely agree that there should be consequences to negative actions…but I suspect your take on the effectiveness and/or your personal perception of deserved/appropriate compensation, may not not align with the reality of any such situation.    

      1. AlwaysAnAgent

        Respectfully, you have posted some rather silly questions as we don’t know the full facts or the extent of any losses.
        The agent should pick up the phone, call a solicitor and begin a claim for losses and breach of contract. It isn’t complicated. The agent either does not have an employment contract or doesn’t want to spend any money on legal fees. 

        1. Eyereaderturnedposter12

          The hypothetical question posed, was to establish the basis of your clearly strong viewpoint on the matter of pursuit of such parties. More importantly that you seem to believe success is guaranteed…this thought could really put a spanner in your accounts if you ever decide to litigate! Caution and cost benefit analyses, are your friends!

          Yes, certainly speaking to a solicitor is very easy (as you say its just a case of picking up the phone)…achieving a successful litigation, at no loss, is an entirely different “ball game”! Particularly when the defendant is of significantly lesser means than the claimant.

          Perhaps my question was silly…

          Have a successful day!




          1. AlwaysAnAgent

            Wide words, as always. You too!

  5. daviddortongibson

    As mentioned above, this is a clear breach of GDPR (now more correctly UK GDPR as we have ceased to be under the EU GDPR).

    Two things of note, the law requires you to report loss of data to the ICO, it does not matter if they do anything with that but you don’t want to be breaking the law by not reporting it, with the faint potential that you get fined. You should do this immediately.  You should also contact everyone whose data has been breach to explain, and perhaps just as importantly explain it is theft and they would be well advised not to go with a company using such dishonest means. Under the Privacy and Electronic Communications Regulations the other agent needs the landlords’ consent to contact them by email. Ask your landlords to email the new company requiring them not to break the law in contacting them.

    As mentioned above I would get a solicitor to write to both the member of staff (though the article does not make it clear if you know which member of staff) and the other company on a “cease and desist” basis and explaining that you have reported it to the Information Commissioners office.

    Last look at your employment contract and ensure that it is clear about ownership of data and that it is an offence to take customer data when they leave. Even if they know of a landlord thorough there work and don’t actually take a memory stick of info, they only know that landlord through working for you and so contacting them based on what they know from their job (personal information about them) could still be breaking the law.

    Good on those of you who end an interview when offered another companies database. After all, it is not rocket science, if they bring a list to you what are they likely to do when they leave and want that next promotion?

  6. Carpets And Curtains Included

    You really should commence legal proceedings against the former employee. As a director, you have a responsibility to the Ltd company to protect it, but possibly more importantly, if you do nothing then other members of staff who might be similarly inclined will see you as a soft touch. Even if it is cost prohibitive to pursue the case all the way, if you engage a lawyer to write to the member of staff concerned telling them you will seek damages as a result of their actions, and you have reported them for a deliberate GDPR breach, it sends a clear message to them and others in your office who might  be tempted to do the same when they move on.

  7. anon-mon73

    I’ve had at least 3 employees take out database.

    the first we got a solicitor on the case who said he needed £20k to fight it as a serious claim. He would do a threatening letter to dissuade them if I wasn’t serious about going all the way.

    Anther took the database but forgot the telephone numbers (different screen) and offer a current member a few hundred if they would pass them over.

    I know agents who will only take on staff “if you can bring landlords over with you” and he openly says they need a database. (Luckily he’s out the business now).

    It’s rife and easy to do now with a database and a spreadsheet

  8. flockfollower102

    There is a lot of very good advice here. A line should be drawn in the sand with the employee and competitor with actions stated above. However, if this company were to proceed to court for damages, then they would need to demonstrate a loss. I do not expect they will lose many if any landlords as the majority of people do not like this sort of thing and they also do not want the hassle of changing agents.

    Unless the employee was a key member, responsible for valuations and the main point of contact with these landlords, I would protect myself and my company as advised above, spend money on a solicitors letter to the relevant parties and then move swiftly on to running my business.

  9. Woodentop

    Some of the stories above seem to be old news from years ago? Totally different story today with new legalisation and case law. It is now a criminal offence, not civil and with all the hang-ups lawyers liked to play with.  
    Employers must have a convenient in their ‘terms of employment’ with every employee. If you haven’t one, then issue an addendum … NOW. And don’t forget to have safe data guards in place or the employer could be for it from individuals who have had the data stolen.  
    The Information Commissioner’s Office (ICO) has warned that the action of employees taking the proprietary information of their employer unauthorised when leaving a business is a criminal offence. Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998 as ammended 2018. The offence is punishable by a fine – up to £5,000 in a magistrate’s court or an unlimited fine in a crown court.
    Could look on the bright side, they didn’t hit the “delete” button on the way out! (you do back up data?).

  10. Joseph60

    All companies should take immediate and decisive action against former employees who do this.  It is disgraceful.

  11. DASH94

    What about the ethics of a company that would use this information if it were offered?

    Employing someone who brings business with them is one thing, but using what is quite clearly a stolen mailing list is a very bad look for the agent

  12. Gangsta Agent

    GDPR, breach of employment, legal action, commercial litigation, immediate & decisive action.

    What about a good old fashioned telephone call or better still a visit to the guys/gals house for a “chat” which I suppose would be immediate & decisive action

    1. Woodentop

      Probably lives in rented accommodation and need to give advanced notice (to be out).

  13. Property Poke In The Eye

    It’s a Martin and Co database – can’t have much value anyway – otherwise they would be at the the competitors office demanding them to delete the data and inform the ICO of the data breach.


You must be logged in to report this comment!

Comments are closed.

Thank you for signing up to our newsletter, we have sent you an email asking you to confirm your subscription. Additionally if you would like to create a free EYE account which allows you to comment on news stories and manage your email subscriptions please enter a password below.