A GANG of fraudsters have been jailed for their part in a £1 million Next Directory scam masterminded by a Glasgow internet hacker.
The criminals led by Edward Mullen used and sold on details of hacked accounts belonging to hundreds of customer.
Mullen – who was caged for 18 months – preyed on punters who used the same log-ins – then one he’d gained access to their details made them available on the “dark web” which is not visible to “normal” users.
Among those in the gang was mum of two Leisha Johnstone, of Annan, Dumfries, who received a 12-month sentence.
The information, hidden from search engines, netted the users £64,000 of goods from the Leicestershire clothing and homewares giant.
Leicester Crown Court heard the scam was perpetrated across the UK.
Log-in details for 280 legitimate mail order accounts were sold on to other fraudsters, via Facebook closed groups.
The details were not leaked or stolen from Next organisation, whose security system was not infiltrated, but were obtained by banking and other internet fraud.
Matthew Lowe, prosecuting, said: “The Next customer account details became available on the deep or dark web.”
They were obtained by Mullen, 30, who recruited mother-of-five Toni Louise Willis to sell “large amounts” of information using PayPal or bank transfer.
Willis, 32, of Chelmsford, Essex, in turn recruited Johnstone, 25, to also sell the information.
Mr Lowe said the defendants were using a Facebook group set up by co-accused, Matthew Corry, 28, of Dramahoe, Londonderry, called Super Fun Happy Land.
He said: “The fraud was carried out by the co-defendants and other conspirators.
“Those who successfully used the hijacked accounts were encouraged to post photographs of their spoils on the Facebook group to advertise and promote the fraud.
“In November last year, Next became aware of the Facebook group and carried out their own investigation, before handing details to the police.
“Willis was arrested in December and items were seized from her.”
Craig Ashley, 32, of Cresswell, Derbyshire, who also set up a Facebook group called Exclusive Deals, was arrested and goods obtained by fraud were recovered.
The two women and three men pleaded guilty to conspiring together and with unknown others to defraud Next Plc between October 2015 and April 2016.
Sentencing the five Judge Nicholas Dean QC said: “What lies behind this is extremely simple to state; it’s greed.
“All of you saw an opportunity to make easy – and you thought risk-free – money at the expense of Next Plc.It wasn’t sophisticated, but it was persistent.
“The losses were not insignificant, but the potential losses were very significant. I must take into account the impact upon the victim in this case – Next plc.
“Although the actual loss doesn’t strike me as being very considerable for that very large company, the reputational loss is incalculable.
“It doesn’t take much imagination to understand that members of the public hearing of offences like these will not go near a Next account with a barge pole, they will consider, whether accurate or not, that they may be at risk of having their account details stolen.
“It’s not a case in which the slightest responsibility applies to Next for your offending or for their account details being stolen.
“Their security arrangements and attempts to detect fraud couldn’t be criticised.”
The judge added: “It’s not a case of just obtaining goods using account details you obtained, you were selling the account details stolen from Next to others so that they could commit fraud.
“This was wholesale supply of hacked accounts, providing a facility for others.
“This is a crime that’s, these days, prevalent and involved persistent offending by each of you.”
Top stories
Judge Dean told Mullen: “You were the source of all of these stolen details, the top of the tree.
“You had nothing to do with their original theft, but knew how to access them.”
Corry and Willis were both caged for 15 months while Ashley was handed an eight month jail term.
A sixth defendant, Rachel Wall, 30, of Gorleston, Norfolk, who had used compromised accounts to obtain £11,000 of goods, but had not passed or sold details on, also admitted the conspiracy.
She was given a six month sentence suspended for 18 months.
Speaking after the hearing, Det Chief Insp Ed McBride-Wilding said: “The targets were customers who used the same log-in and password for other online accounts where their details had been stolen during data breaches involving other companies.
“This case emphasises the need to use different passwords for every business and home account or application.”
A Next Plc spokesman said: “We were pleased the judge commended Next’s security systems and we’d like to reiterate that at no point was any customer data hacked or stolen from Next.
“We are also pleased our customers suffered no financial loss and we were able to act very quickly.”
The defendants are due to face a proceeds of crime confiscation hearing in May.
We pay for your stories! Do you have a story for The Scottish Sun Online. Email us at scottishsundigital@news.co.uk or call 0141 420 5266