Over 1 million American Express, Royal Bank of Scotland, and NatWest customers’ details have been sold on eBay.
The details were stored on a server, bought for just over 35 British pounds ($64) by Andrew Chapman, an IT manager from Oxford, England, last week. Chapman told CNET News sister site ZDNet UK on Tuesday that the server, a network attached storage (NAS) box, contained unencrypted backups of CDs.
“A professional organization holding this kind of data should have tested the disks to make sure (the information) was destroyed,” said Chapman.
The computer had been used by data-archiving firm Graphic Data to store the details on behalf of RBS, of which NatWest is a subsidiary. Details included names, addresses, bank account numbers, telephone numbers and customer signatures.
RBS said on Tuesday that it was in the process of investigating the incident.
“Graphic Data has confirmed to us that one of their machines appears to have been inappropriately sold on via a third party,” RBS said in a statement. “As a result, historical data relating to credit card applications from some of our customers and data from other banks were not removed. We take this issue extremely seriously and are working to resolve this regrettable loss with Graphic Data as a matter of urgency.”
Graphic Data, a subsidiary of Sala International, said it had not planned to dispose of the server, and was investigating how it had appeared on eBay