The UK's data and privacy watchdog has found that staff working for the Leave.EU campaign used access to the personal data of customers of an insurance company owned by Brexit's biggest financial backer, Arron Banks, to unlawfully send them political marketing material.
The Information Commissioner's Office (ICO) is due to present the findings of its major investigation into the use of data by the EU referendum campaigns to MPs in Parliament on Tuesday morning.
According to leaked sections of the report seen by BuzzFeed News, the ICO notified Leave.EU and Banks' Eldon Insurance on Monday that they are facing fines totalling £135,000 for the data protection breaches.
"We have concerns about the overall management of the data within the company [Eldon], particularly about the arrangements for sharing personal data handled by the company and its associates," the report states.
"We have evidence to show that customers' personal data, in the form of email addresses, held by Eldon was accessed by staff working for Leave.EU and was used to unlawfully send political marketing messages."
In one incident, in September 2015, a Leave.EU email newsletter was sent to more than 319,000 email addresses on Eldon's customer database. Leave.EU told the ICO that this was the result of an error in the email distribution system and claimed that it had reported the error.
"However," the report says, "we have no record of any such incident being reported to us and have asked the company for details to confirm this."
Leave.EU face a £15,000 fine for sending the email newsletter, because it "did not have the consent of the subscribers for the 296,522 direct marketing emails it sent", the report says.
The information commissioner also found that Leave.EU sent emails to its own subscribers promoting Eldon, which trades as GoSkippy.
"During two separate campaigns, Leave.EU sent emails to their subscribers which contained marketing information, promoting GoSkippy and its insurance products, for which they did not have consent," the report says.
More than a million emails were sent between February and July 2017 that included the company's banner and a discount offer for Leave.EU supporters. And in August 2016, an email was sent to 49,000 addresses on the Leave.EU database announcing a sponsorship deal with GoSkippy.
The information commissioner says it intends to fine Leave.EU and Eldon £60,000 each for these breaches.
With all three fines, the ICO makes clear that it is still awaiting representations from the companies and no final view has been reached yet.
Last week it was announced that Banks, who donated £8 million to the pro-Brexit campaign, had been referred for criminal investigation by the National Crime Agency by the Electoral Commission, which said there was "reasonable grounds" to suspect he wasn't the "true source" of the donations.
Banks – who heads up Eldon Insurance – has been at the centre of months of media speculation around contacts with Russian officials and persistent questions about the sources of his Brexit donations.
The report also details how the information commissioner has an enforcement order on AIQ – the Canadian-based data company for the Vote Leave Campaign – to "stop processing retained UK citizen data".
The ICO also investigated the use of data by the Remain campaign. The report says it "obtained information" over the course of the investigation that the Liberal Democrats "sold the personal data of its party members" to Better Stronger in Europe (BSIE) – the official Remain campaign – for £100,000.
"Both the Liberal Democrats and Open Britain [the successor organisation to BSIE] denied that party members' personal data had been sold," the report read. "Instead, both confirmed that the In Campaign bought Electoral Register information from the Liberal Democrats."
"We are still looking at how the Remain side of the referendum campaign handled personal data, including the electoral roll, and will be considering whether there are any breaches of data protection or electoral law," the report says.