Personal details of more than one million bank customers exposed

The personal bank details of more than one million people have been found on a computer sold on eBay last week.

The data included bank account information, mobile phone numbers, dates of birth, e-mail addresses and signatures of customers of the Royal Bank of Scotland (RBS) and NatWest bank, as well as American Express.

Download this free guide

From forensic cyber to encryption: InfoSec17

Security technologist Bruce Schneier’s insights and warnings around the regulation of IoT security and forensic cyber psychologist Mary Aiken’s comments around the tensions between encryption and state security were the top highlights of the keynote presentations at Infosecurity Europe 2017 in London.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Andrew Chapman, an IT manager at the University of Oxford, found the details after buying a second-hand computer to use as a home entertainment system.

The laptop came from a company called Graphic Data which digitally archives paper-based information.

"Graphic Data has confirmed to us that one of its machines appears to have been inappropriately sold on via a third party. As a result, historical data relating to credit card applications from some of our customers and data from other banks were not removed," said an RBS statement.

Graphic Data, which was acquired by Mailsource UK in April 2008, said the IT equipment that appeared on eBay was not intended to be disposed of by the company and investigations are ongoing to find out how this equipment was removed from one of Graphic Data's secure locations.

A colleague of Chapman, who discovered the data, said: "As an IT manager Andrew was concerned about what looks like a serious breach of the Data Protection Act. He wants to make sure this sort of breach is tightened up."

He said that this sort of breach might have gone unnoticed had Chapman not had IT skills and discovered the data when he was adding extra memory to the PC.

The FSA fined Nationwide almost £1m after a laptop containing customer data was stolen in November 2006.

A spokesman at the Financial Services Authority said the financial services watchdog has the power to fine companies for this type of data breach.

"The FSA takes data security seriously and expects regulated firms to do all they can to protect their customers' details, including ensuring that any part of their business which is outsourced abides by the same high standards expected of the firm. In the past 18 months, we have fined three firms over £2m for failing to protect their customers' details."

The FSA is also prepared to fine financial services companies for breaches committed by the firms they outsource services to.