The personal details of around one million bank customers has been found on a computer bought on Ebay for £35.
Information of American Express, NatWest and Royal Bank of Scotland (RBS) customers was stored on the machine's hard drive, the Daily Mail reports. Details included names, addresses, mobile phone numbers, bank account numbers, sort codes, credit card numbers, mothers' maiden names and even signatures.
According to the Mail on Sunday , the computer was bought by IT manager Andrew Chapman of Oxford who discovered the data when checking the hard-drive.
The Daily Mail reported that an ex-worker for archiving firm Graphic Data sold it for £35 on eBay without removing sensitive information from the hard drive. Calls to Graphic Data were not returned at time of writing.
Royal Bank of Scotland said in a statement: "Graphic Data has confirmed to us that one of their machines appears to have been inappropriately sold on via a third party. As a result, historical data relating to credit card applications from some of our customers and data from other banks were not removed. We take this issue extremely seriously and are working to resolve this regrettable loss with Graphic Data as a matter of urgency."
Graphic Data said: "The IT equipment that appeared on eBay was not planned to be disposed of by the company and investigations are still ongoing to find out how this equipment was removed from one of Graphic Data's secure locations. We take customer privacy and data security very seriously. This incident is extremely regrettable and we're taking every possible step to retrieve the data and ensure this is an isolated incident."
The Information Commissioner's Office is investigating the data breach. A spokesperson for the ICO said: "It is essential that companies have appropriate procedures in place to ensure that personal records are kept secure at all times. If companies are disposing of computer equipment they must take the necessary steps to ensure that any personal information stored on the hard drive is rendered unrecoverable. We are now investigating this potential data breach and will be seeking an urgent explanation from Graphic Data to establish what has gone wrong and the steps that are being taken to prevent a similar incident occurring.”
The news follows the Home Office admission that one of its contractors had lost a computer memory stick holding the details of 127,000 criminals.
Nick Lowe, CheckPoint's regional director for Northern Europe said: "It seems that some organisations are still saying 'it can’t happen here'. This latest incident involving data on American Express, Natwest and Royal Bank of Scotland customers shows that it can happen, all too easily."
“Securing any kind of sensitive data has to be automated, so that employees or other users cannot alter or stop the security processes. Organisations have to protect their data, themselves and their employees against the risks of possible data leaks, and automation is the only way to do that.”