Personal details of more than one million bank customers exposed

The personal bank details of more than one million people have been found on a computer sold on eBay last week.

The data included bank account information, mobile phone numbers, dates of birth, e-mail addresses and signatures of customers of the Royal Bank of Scotland (RBS) and NatWest bank, as well as American Express.

Andrew Chapman, an IT manager at the University of Oxford, found the details after buying a second-hand computer to use as a home entertainment system.

The laptop came from a company called Graphic Data which digitally archives paper-based information.

"Graphic Data has confirmed to us that one of its machines appears to have been inappropriately sold on via a third party. As a result, historical data relating to credit card applications from some of our customers and data from other banks were not removed," said an RBS statement.

Graphic Data, which was acquired by Mailsource UK in April 2008, said the IT equipment that appeared on eBay was not intended to be disposed of by the company and investigations are ongoing to find out how this equipment was removed from one of Graphic Data's secure locations.

A colleague of Chapman, who discovered the data, said: "As an IT manager Andrew was concerned about what looks like a serious breach of the Data Protection Act. He wants to make sure this sort of breach is tightened up."

He said that this sort of breach might have gone unnoticed had Chapman not had IT skills and discovered the data when he was adding extra memory to the PC.

The FSA fined Nationwide almost £1m after a laptop containing customer data was stolen in November 2006.

A spokesman at the Financial Services Authority said the financial services watchdog has the power to fine companies for this type of data breach.

"The FSA takes data security seriously and expects regulated firms to do all they can to protect their customers' details, including ensuring that any part of their business which is outsourced abides by the same high standards expected of the firm. In the past 18 months, we have fined three firms over £2m for failing to protect their customers' details."

The FSA is also prepared to fine financial services companies for breaches committed by the firms they outsource services to.