natali_mis - stock.adobe.com

Coronavirus face mask spammer fined by ICO

The director of software company Studios MG spammed members of the public at the height of the pandemic as one of its directors tried to shift a job lot of face masks

The Information Commissioner’s Office (ICO) has fined London-based software consultancy Studios MG Ltd, £40,000 after it sent 9,000 unlawful spam marketing emails selling facemasks during the initial Covid-19 outbreak in April.

The ICO’s investigation found Studios MG was not involved in the business of supplying personal protective equipment (PPE), but that at the height of the initial panic over Covid-19 its sole director – named at Companies House as Malcolm Graham – had decided to buy a stockpile of facemasks to sell on at a profit. A serial tech entrepreneur who was once profiled in London’s Evening Standard, Graham is associated with numerous other companies, including startup Aceify, a tennis coaching app.

Andy Curry, ICO head of investigations, said: “The ICO has investigated a number of companies during the pandemic with the aim of protecting people from being exploited by unlawful marketing attempts. Nuisance emails are never welcome at any time, but especially when people may be feeling vulnerable or worried and their concerns heightened.

“We pursued this case because the company broke the law and invaded people’s privacy. We will take action where we find systematic flouting of the law and evidence of companies trying to make money from people via nuisance marketing.”

The ICO said that after it contacted Studios MG, the company deleted a database of key evidence which would have showed the full extent of the volume of emails sent. The company’s mailing list comprised a contact list scraped from several different sources, including LinkedIn and email contacts.

Studios MG was unable to show the ICO that it had got permission from any of the contacts on its list, or any accounts for the period covering the activity, an offence under the Privacy and Electronic Communications Regulations (PECR) 2003, which covers people’s privacy rights in relation to marketing calls, emails, texts and faxes, browser cookies, the security of comms services, and customer data such as location, billing and so on. The maximum penalty that the ICO is allowed to levy under the PECR is £500,000.

Spam and scam emails such as those sent by Studios MG were among a number of cyber security threats highlighted during the initial Covid-19 outbreak, as malicious actors tried to exploit widespread public fears over the virus.

Read more about email threats

Face masks, such as those that Studios MG attempted to profit from, were among a number of items that were hoarded and sold on at vastly inflated prices by unscrupulous profiteers, often using services such as Amazon Marketplace and eBay.

In March, the Competition and Markets Authority (CMA) launched a Covid-19 Taskforce to try to address the problem of online traders exploiting the coronavirus.

However, an investigation by consumer advocacy group Which? found that online platforms were struggling to deal with the sheer volume of profiteering.

Which? found hundreds of active listings and auctions for overpriced items. These included a £40 thermometer priced at £300 on eBay and £150 on Amazon, a £3 bottle of disinfectant being sold for £29.99, and a bundle of three bottles of Dettol and three packets of antibacterial wipes for £210 on eBay.

Read more on Hackers and cybercrime prevention