Bank customer data sold on eBay

The details of customers of three banks were involved

An investigation is under way into how a computer containing bank customers' personal data was sold on eBay.

The computer, bought by IT manager Andrew Chapman for £77, had the sensitive details on its hard drive.

Mr Chapman, from Oxford, said the machine contained information on several million bank customers.

Details of customers of three companies, including the Royal Bank of Scotland (RBS) and its subsidiary, Natwest, were involved.

RBS said an archiving firm told it the computer had been "inappropriately sold on via a third party".

It said historical information relating to credit card applications for its bank and others had been on the machine.

Basic knowledge

The information is said to include account details and in some cases customers' signatures, mobile phone numbers and mothers' maiden names.

Andrew Champman on how he 'bought' bank customers' details

The problem came to light when Mr Chapman, 56, bought the computer, noticed the data and raised the alarm.

He said: "I was appalled when I found the bank account information. That sort of thing shouldn't have been listed on there."

Mr Chapman said anyone with a basic knowledge of computer software would have been able to find the data fairly simply.

"The information was in back-up CDs and in ISO files so it would have been possibly quite easy to find if you know something about computers," he said.

Extremely regrettable

RBS and Natwest said they were taking the issue very seriously and were working to resolve it "as a matter of urgency".

A spokeswoman for the third company reported to be involved, American Express, said it took the security of its card members' data "extremely seriously".

"We are currently working as a matter of priority to establish exactly what data is impacted and identify the card members who may be affected," she said.

A spokeswoman for data processing company Mail Source, which is part of the archiving firm Graphic Data, said it was investigating how the computer equipment had been removed from a secure location.

"The IT equipment that appeared on eBay was neither planned nor instructed by the company to be disposed," she said.

The incident was "extremely regrettable" and the firm was "taking every possible step" to retrieve the data and ensure it was an isolated incident, she added.

Clearly such details should never have been included in the hard drive of the computer offered for sale on eBay eBay spokesman When financial data goes missing

A spokesman for eBay said the firm was also looking into what had happened.

"Clearly such details should never have been included in the hard drive of the computer offered for sale on eBay," said the spokesman.

"We fully expect Mr Chapman to hand it back to Graphic Data as soon as possible. We will of course work with Graphic Data to establish how it came to be available for sale on our site."

The Information Commissioner's Office said an investigation would be launched as soon as Mr Chapman had handed the computer in to them.

A spokeswoman said: "We are now investigating this potential data breach and will be seeking an urgent explanation from Graphic Data to establish what has gone wrong and the steps that are being taken to prevent a similar incident occurring."

Banks have an obligation under the Data Protection Act to keep all personal information secure.

Last year the Financial Services Authority fined the Nationwide Building Society £980,000 for a security breach, after a laptop containing customer data was stolen from an employee's home.