Personal details of more than one million bank customers exposed

The personal bank details of more than one million people have been found on a computer sold on eBay last week. The data included bank account information, mobile phone numbers, dates of birth, e-mail addresses and signatures of customers of the Royal Bank of Scotland and NatWest bank, as well as American Express.

Karl Flinders, Emea Content Editor, Computer Weekly

Published: 26 Aug 2008 13:02

The personal bank details of more than one million people have been found on a computer sold on eBay last week.

The data included bank account information, mobile phone numbers, dates of birth, e-mail addresses and signatures of customers of the Royal Bank of Scotland (RBS) and NatWest bank, as well as American Express.

Andrew Chapman, an IT manager at the University of Oxford, found the details after buying a second-hand computer to use as a home entertainment system.

The laptop came from a company called Graphic Data which digitally archives paper-based information.

"Graphic Data has confirmed to us that one of its machines appears to have been inappropriately sold on via a third party. As a result, historical data relating to credit card applications from some of our customers and data from other banks were not removed," said an RBS statement.

Graphic Data, which was acquired by Mailsource UK in April 2008, said the IT equipment that appeared on eBay was not intended to be disposed of by the company and investigations are ongoing to find out how this equipment was removed from one of Graphic Data's secure locations.

A colleague of Chapman, who discovered the data, said: "As an IT manager Andrew was concerned about what looks like a serious breach of the Data Protection Act. He wants to make sure this sort of breach is tightened up."

He said that this sort of breach might have gone unnoticed had Chapman not had IT skills and discovered the data when he was adding extra memory to the PC.

The FSA fined Nationwide almost £1m after a laptop containing customer data was stolen in November 2006.

A spokesman at the Financial Services Authority said the financial services watchdog has the power to fine companies for this type of data breach.

"The FSA takes data security seriously and expects regulated firms to do all they can to protect their customers' details, including ensuring that any part of their business which is outsourced abides by the same high standards expected of the firm. In the past 18 months, we have fined three firms over £2m for failing to protect their customers' details."

The FSA is also prepared to fine financial services companies for breaches committed by the firms they outsource services to.

Personal details of more than one million bank customers exposed

Read more on IT risk management

RBS, Barclays and NatWest customers suffer more mobile banking outages

UK financial regulator FCA probes RBS IT failure

Hardware fault causes more RBS service outages

FSA demands review of RBS software failure

SearchCIO

3 steps to recalibrate a strategic IT roadmap

Experts predict hot enterprise architecture trends for 2021

Cloud, security top list of IT spending priorities

SearchSecurity

SonicWall breached through 'probable' zero-day vulnerabilities

4 ways to minimize the risk of IT supply chain attacks

Standardize cybersecurity terms to get everyone correct service

SearchNetworking

SolarWinds: Lessons learned for network management, monitoring

7 key SD-WAN trends to evaluate in 2021

10 network security tips in response to the SolarWinds hack

SearchDataCenter

Modular UPS systems provide flexible power management options

IBM revenues head south again as hardware, services sales dip

Get a template to estimate server power consumption per rack

SearchDataManagement

Enterprise data lakes hold the key to actionable insights

Data fabrics help data lakes seek the truth

Kyligence builds out data cloud for OLAP and big data