The security breach was reported by the Mail on Sunday, which has seen the files of 2,000 Barclays customers.
The whistleblower claimed the files were a sample from a stolen database of up to 27,000 files, worth around £1.35m. The whistleblower said an unnamed firm of rogue brokers gave him the files to sell.
Fraudsters buy such data to carry out investment scams. "This illegal trade is going on all the time in the City. I want to go public to stop it getting bigger,” the whistleblower said.
The whistleblower said the rogue firm had already used the information to scam about 1,000 people, who were persuaded to invest in rare earth metals that did not exist.
Between December 2012 and September 2013, a group of brokers at the rogue firm were given the files, he said, which they used to cold call their victims.
The files reportedly came from the now-defunct Barclays Financial Planning business. They contain the names, addresses, phone numbers, passport numbers, national insurance (NI) numbers and savings details of customers, and information about their dependents.
The division was closed after it was fined £7.7m in 2011 and ordered to pay up to £59m in compensation for mis-selling investment funds to more than 12,000 customers.
Protecting customers 'top priority'
Read more about Barclays
Barclays claims not all the sample records belong to former customers, but it has ordered an internal investigation into how the files were stolen. Barclays said it would contact all customers affected.
“We will take all necessary steps to contact and advise those customers as soon as possible so that they can also ensure the safety of their personal data.
“Protecting customers’ data is a top priority and we take this issue extremely seriously. This appears to be criminal action and we will co-operate with the authorities on pursuing the perpetrator.
“We would like to reassure all our customers we have taken every practical measure to ensure personal and financial details remain as safe and secure as possible,” Barclays said.
Regulators weigh in
The bank faces fines from the Financial Conduct Authority (FCA), which can impose unlimited fines, and the Information Commissioner’s Office (ICO), which can impose penalties up to £500,000.
"Barclays have contacted us and we will be working with them to understand exactly what has happened and what steps consumers may need to take," an FCA spokeswoman told the Guardian.
“This should serve to remind all firms how important it is they have the correct procedures in place to ensure data is secure and used appropriately.”
Hazards of retaining old data
Steve Smith, managing director of data security firm Pentura, said: "This shows that even older customer data from closed businesses or subsidiaries can have real value if it should fall into the wrong hands.
“It is critical that firms holding this type of sensitive data have policies to protect that information, and to control who has access to it, from when it is originally created right through to its long-term storage and disposal.
“This is the only way to control these types of breach, so that their origins can be traced and any vulnerabilities quickly closed,” he said.