The illegal sale of pension details from members of the public by 'list broker' firms has been highlighted in a sting operation by consumer affairs group Which?.
Posing as a pensions early release firm, the consumer research company was told by 10 out of 14 firms which sell lists of customer details that it could purchase the details of a total of half a million names and telephone numbers.
Such actions breach several rules. List brokers must carry out due diligence on the organisations the details will be passed onto and for what specific purpose the information will be used.
But the fake company created by Which? was not listed at Companies House, not regulated by the Financial Conduct Authority or registered with the Information Commissioner’s Office (ICO).
Furthermore, as part of the investigation, Which? was sent a sample telephone list on which 13 out of 18 people were registered with the Telephone Preference Service. This is a service people join to avoid nuisance calls.
In one of the worst breaches, Which? was offered a list containing 26,000 names along with National Insurance numbers, pension provider details, pensions sizes and policy numbers.
The details of these individuals was on sale for between 4p and 66p per person.
Only four of the list-broking companies contacted demonstrated best practice by refusing to deal with the investigative team from Which?.
Harry Rose, money editor at Which?, said: "Our investigation found a trail of evidence of irresponsible behaviour and opaque supply chains within the list broker industry, with some firms seemingly willing to sell us data even though our fake company looked remarkably like a scam outfit."
He said that most of the companies approached were vague about where their data originated. Three companies said their lists came from other data traders, to which people on those lists would have to have given their consent before being transferred.
Which? passed the details of its investigation to the ICO which has promised to investigate.
The ICO told Which? the findings were "very concerning and appear to raise serious issues about the compliance of organisations with data protection law". The ICO has the power to impose fines on such companies of up to £500,000.
In November 2015, the ICO announced it was targeting list brokers to clamp down on nuisance calls and illegitimate activity.