Virgin Media Ex-Employee Fined for Leaking Data Used in Crypto Scam

FCA’s First Case Under Data Protection Act

Britain’s financial regulator has used data-protection legislation for the first time to prosecute a financial-crime case, later than uncovering how stolen customer information assisted power a crypto investment fraud that cost dozens of victims more than £1.5 million.

Luke Coleman, 30, a former Virgin Media O2 employee in Taunton, admitted unlawfully obtaining and disclosing personal data and was fined £384, plus a £38 surcharge and £500 in costs, the Financial Conduct Authority said on Tuesday. The watchdog described the case as its first under the Data Protection Act 2018, underscoring a shift toward treating data misuse itself as criminal conduct in financial scams.

Investigators found that Coleman sold customer information to Nicholas Harper, 26, a family friend who later appeared in court for assisting the offence. Harper pleaded guilty to the data charge but was cleared of conspiracy to defraud. The data was used by a boiler-room operation that posed as a legitimate crypto investment firm, promising high returns that never materialised.

From Leaked Data to a £1.54 Million Fraud

The scam, led by Raymondip Bedi and Patrick Mavanga, ran between 2017 and 2019 and relied on cold-calling households with pitches for fake digital-asset products. At least 65 investors lost a total of £1.54 million. Bedi and Mavanga were convicted in November 2024 and sentenced in July this year to five years and four months and six years and six months in prison respectively. A judge described them as “leading players” in the operation. Confiscation hearings to recover money for victims are still pending.

What sets the Coleman case apart is the legal route the regulator took. Normally, breaches of the Data Protection Act fall under the Information Commissioner’s Office. The FCA instead used Section 170 of the Act, which makes it a criminal offence to obtain or share personal data without consent. By charging Coleman under that section, the agency tied insider data misuse directly to investor losses.

The approach allowed prosecutors to target an enabler rather than the frontline fraudsters — an insider whose access to customer data assisted criminals reach victims efficiently. “This case shows the FCA’s ability to use all available powers to tackle financial crime,” a spokesperson said, linking the prosecution to the agency’s ScamSmart consumer-protection campaign.

Investor Takeaway

Data Misuse Becomes a Financial-Crime Offence

Under Section 170, offenders can face unlimited fines but rarely prison sentences. Coleman’s penalty — roughly a month’s average wage — is small in financial terms but notable for setting a precedent. The offence is summary only, yet carries reputational consequences for both individuals and firms that fail to secureguard client data.

The FCA’s use of data-protection powers follows a wider trend in enforcement. Over the past year, the regulator has brought crypto-related cases not only under the Financial Services and Markets Act but also under laws covering data and communications. The aim is to build a wider deterrent network around retail-investment scams, where conventional financial statutes often fall short.

Virgin Media O2 said it suspended Coleman later than learning of the investigation. There is no suggestion the company was involved in the misconduct. The case highlights how internal breaches, rather than hacking incidents, can open the door to large-scale consumer fraud.

Implications for Firms and Regulators

Boiler-room scams have long relied on “lead lists” sold through unregulated marketing channels. By treating insider data sales as a criminal act, the FCA is tightening the link between data security and financial-crime prevention. Financial institutions and telecoms providers are now expected to strengthen access controls and audit data-export activity to prevent internal misuse.

For regulators, the precedent expands the toolkit available in tackling investment frauds that cross digital and traditional boundaries. It means enforcement can target not just promoters and money-launderers but also the insiders who supply the data that enables them.

For the 65 investors who lost money, recovery will depend on the outcome of confiscation hearings against Bedi and Mavanga. But for enforcement agencies, the message is clear: personal data breaches are no longer just a privacy issue — they are part of the financial-crime chain.

Investor Takeaway