Inquests begin after details of one million bank customers found on computer sold on eBay

13 April 2012

The eBay computer scandal which saw the loss of personal data on a million bank customers is to be investigated by the Information Commissioner.

The firms involved - the Royal Bank of Scotland, NatWest and American
Express - have also promised to launch probes.

The Mail revealed today that the data was found on a second-hand computer sold for £35 in an eBay auction.

'A thief's treasure chest': Andrew Chapman with the hard disk drive he bought on eBay containing the private bank details of more than a million people

'A thief's treasure chest': Andrew Chapman with the hard disk drive he bought on eBay containing the private bank details of more than a million people

It had belonged to Graphic Data, which stores financial information for organisations at its archive in Shoeburyness, Essex.

A spokesman for Mail Source, which owns Graphic Data, put the situation down to an 'honest mistake'.

She added: 'We know which employee took the server and sold it, but we believe it was an honest mistake and it was not intentional to sell it without the server being cleared.

'We want to stress that this is an isolated incident and we are investigating how the server was removed and sold.

'This is a very unfortunate incident and we are taking measures to ensure it will never happen again.'

The Mail Source employee sold the computer to Andrew Chapman, a 56-year-old IT manager from Oxford.

It held account numbers, phone numbers, signatures and other personal details, none of which are thought to have been handed to any third parties.

RBS, NatWest and American Express are expected to contact customers once they have analysed the data at risk.

The Information Commissioner's Office is investigating an apparent breach of the Data Protection Act.

A spokesman said: 'A data breach is very serious. Our investigation will look at the circumstances of how this happened, and we will be seeking an urgent explanation from Graphic Data to establish what has gone wrong and the steps that are being taken to prevent a similar incident occurring.'

American Express said it was working 'as a matter of priority' to establish which of its card holders could have been affected.

A spokesman said: 'We have strict guidelines for suppliers around the security of information. We are currently working as a matter of priority to establish exactly what data is impacted and identify the card members who may be affected.'

An RBS spokesman said: 'We take this issue extremely seriously and are working to resolve this regrettable loss with Graphic Data as a matter of urgency.'

The computer and a second server sold with it to Mr Chapman were tonight returned to Graphic Data.

Identity fraud is one of the fastest growing areas of crime in Britain and Home Office figures show it costs the economy £1.3billion a year.

But Marc Kirby, an IT lecturer at Cranfield University, said today that some firms did not realise how hard it was to delete computer files.

'You can't escape leaving a data trail in the 21st century, and it will only get worse,' he warned. 'People think they have deleted emails or documents but it is usually very easy to retrieve them.

'In most circumstances you can buy software on the internet for £25 that will retrieve almost anything, unless the computer has been totally wiped or the hard drive is destroyed.'

Case study

As someone with a limit of more than £20,000 on his credit card, Christopher Tomlins was shocked to learn that NatWest has lost the information that could give anyone access to his account. 

When told about the breach by the Daily Mail, Mr Tomlins, 32, said: 'It is like they have given my house keys to a stranger and then said, "Help yourself".'

Mr Tomlins's personal information is revealed in a photograph of an application for a NatWest 'black' credit card he made on April 14, 2005.

The completed application form contains his name, address, date of birth, mobile phone number and home phone number.

It also reveals his mother's maiden name, signature, annual income, bank account number, bank sort code and the 16-digit number of the credit card he was granted.

Mr Tomlins, who runs his own lighting company in Ealing, West London, said: 'I am amazed that NatWest have let this information get out. If the company looking after the information was getting rid of the computer, they should have destroyed the hard drive.'

Mr Tomlins's details were contained on one of 227 photographs of separate credit card application forms found on just one of 32 computer files containing NatWest card information.

Create a FREE account to continue reading

eros

Registration is a free and easy way to support our journalism.

Join our community where you can: comment on stories; sign up to newsletters; enter competitions and access content on our app.

Your email address

Must be at least 6 characters, include an upper and lower case character and a number

You must be at least 18 years old to create an account

* Required fields

Already have an account? SIGN IN

By clicking Create Account you confirm that your data has been entered correctly and you have read and agree to our Terms of use , Cookie policy and Privacy policy .

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged in