Barclays Bank, which today has announced a 25 percent fall in profits, is investigating a major data breach that may have affected thousands of customers.
An anonymous whistleblower has provided The Mail on Sunday with a USB key containing files on 2,000 of the bank’s customers. He claims that this is a sample from a database of up to 27,000 files of personal information that has been sold on the black market for up to £50 a file, enabling rogue traders to carry out investment scams.
The stolen information includes passport and national insurance numbers, customers’ earnings, savings, mortgages, insurance policies and health issues.
The whistleblower, a former commodity broker, told the Mail: “This is the worst [leak] I’ve come across by far. But this illegal trade is going on all the time in the City. I want to go public to stop it getting bigger.”
Barclays said that it contacted the Information Commissioner and other regulators on Friday, as soon as it was made aware of the theft.
“Our initial investigations suggest this is isolated to customers linked to our Barclays Financial Planning business, which we ceased operating as a service in 2011. Based on what we have seen, this appears to be data from 2008 or earlier.
“We will take all necessary steps to contact and advise those customers as soon as possible so that they can also ensure the safety of their personal data,” the bank said in a statement.
It added that the incident appeared to be a criminal action and that it will “co-operate with the authorities on pursuing the perpetrator”.
The sensitive information was provided to the bank when customers applied for financial planning advice and filled out forms, such as questionnaires that measured a customer’s attitude to risk. Each file is about 20 pages long.
“The data is a gold mine for traders because it is so incredibly detailed,” the whistleblower told the Mail. “It gets them inside the customer’s head.”
The whistleblower said that until last year, he worked with a firm of brokers that tried to persuade people to invest in “all manner of dodgy schemes”. Knowing such personal information information about people could help brokers exploit their weaknesses and encourage them to invest in things like rare earth metals that did not exist. Up to 1,000 people could be victims of such scams, the whistleblower said.
The stolen data was distributed to the brokers as “Barclays leads”, which the whistleblower claims he first became aware of in September, when he was asked to sell them to other traders for £8 a file.
He claims that his conscience “got the better” of him.
“It was all just so wrong,” he told the Mail. “I wasn’t a broker myself at this stage, but I had a business link to the firm.”
When investors began to get suspicious, the firm of brokers tried to remove all evidence of the scams. However, the whistleblower kept the “Barclays leads” without the firm’s knowledge.
The Information Commissioner’s Office can impose fines of up to £500,000 on organisations that fail to protect customer data in line with the Data Protection Act.
Meanwhile, the Financial Conduct Authority (FCA) has the power to levy fines in the millions of pounds in data loss cases.
In 2012, Barclays received a fine of £59.5 million from the Financial Services Authority (FSA), the previous incarnation of the FCA, for misconduct relating to the reference rates at which banks lend to each other, known as London Interbank Offered Rate (LIBOR).
Find your next job with computerworld UK jobs