So T-Mobile has been named as the "source" of the data privacy breach reported by the ICO earlier this week. In that same press release Christopher Graham responded to the government announcement that serious breaches of the data protection act are likely to result in a custodial sentence from April 2010.

http://www.ico.gov.uk/upload/documents/pressreleases/2009/mobile_phone_records_s55_171109.pdf

Additionally organisations are also going to suffer stiffer fines of up to £500,000. Significantly up from the paltry £5000 currently in place. The office has chosen not to pursue an unlimited system although personally I would also like to see a quantifiable "per record" penalty, added on top of the fine,  in a manner similar to the PCI-DSS compliance contract.

Regardless of the fine levied by the courts in this case, the true cost of this breach to T-Mobiles business is likely to run into millions if the Ponemon Institute's findings hold true.

http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009 US Cost of Data Breach Report Final.pdf