The personal bank details of more than one million people have
been found on a computer sold on eBay last week.
The data included bank account information, mobile phone
numbers, dates of birth, e-mail addresses and signatures of
customers of the Royal Bank of Scotland (RBS) and NatWest bank, as
well as American Express.
Andrew Chapman, an IT manager at the University of Oxford, found
the details after buying a second-hand computer to use as a home
entertainment system.
The laptop came from a company called Graphic Data which
digitally archives paper-based information.
"Graphic Data has confirmed to us that one of its machines
appears to have been inappropriately sold on via a third party. As
a result, historical data relating to credit card applications from
some of our customers and data from other banks were not removed,"
said an RBS statement.
Graphic Data, which was acquired by Mailsource UK in April 2008,
said the IT equipment that appeared on eBay was not intended to be
disposed of by the company and investigations are ongoing to find
out how this equipment was removed from one of Graphic Data's
secure locations.
A colleague of Chapman, who discovered the data, said: "As an IT
manager Andrew was concerned about what looks like a serious breach
of the
Data
Protection Act. He wants to make sure this sort of breach is
tightened up."
He said that this sort of breach might have gone unnoticed had
Chapman not had IT skills and discovered the data when he was
adding extra memory to the PC.
The
FSA fined Nationwide almost £1m after a laptop containing
customer data was stolen in November 2006.
A spokesman at the Financial Services Authority said the
financial services watchdog has the power to fine companies for
this type of data breach.
"The FSA takes data security seriously and expects regulated
firms to do all they can to protect their customers' details,
including ensuring that any part of their business which is
outsourced abides by the same high standards expected of the firm.
In the past 18 months, we have fined three firms over £2m for
failing to protect their customers' details."
The FSA is also prepared
to fine financial services companies for breaches committed by
the firms they outsource services to.