Barclays bank has launched an investigation following a data breach which saw 27,000 customers’ details stolen and sold.

The Mail on Sunday said it had been handed a memory stick by an anonymous ex-City worker. The USB drive contained files on 2,000 of the bank’s customers. The whistleblower indicated that records for a further 25,000 customers were also available and that they had, at one point, commanded a price of £50 per file.

The files in question run to about 20 pages in length for each customer and provide an immense amount of detail including, but certainly not limited to, the following:

• names
• dates of birth
• national insurance numbers
• addresses and phone numbers
• health statuses
• and a large array of financial information, including salary, investments and attitude to risk

The Mail’s source, a former commodity broker, said,

“This is the worst [leak] I’ve come across by far. But this illegal trade is going on all the time in the City. I want to go public to stop it getting bigger.”

The whistleblower, who claims he previously worked for a firm that tried to get people to invest in ‘dodgy schemes’, said that he became aware of the existence of the Barclays files in September of last year after the boss of one of the brokerage firms he was working for asked him to sell the leads to other brokerages for £8 per file. The price was so low, he said, because all of the data had already been used and so was considered ‘secondary data’.

The firm in question had made use of the data from at least as early as December 2012, and the BBC reports that some files date back as far as 2008 – this particular breach has obviously been going on for quite some time.

It is not known at this time just how the data was stolen but, to my mind, it sounds likely to be an inside job. In any event, a data breach of this magnitude will have done little to improve public sentiment at a time when British banks are coming under more and more scrutiny, not to mention rising displeasure, from a populace still greatly affected by the banking crisis and the resulting on-going recession.

The Information Commissioner’s Office is set to work with the bank, police and the Mail on Sunday in order to obtain more details. If a case is made against Barclays then it could face a fine of up £500,000 for losing personal data (which seems wholly inadequate to me). The Financial Conduct Authority, however, can levy unlimited fines.

A Barclays spokeswoman said,

“We are grateful to the Mail on Sunday for bringing this to our attention and we contacted the Information Commissioner and other regulators on Friday as soon as we were made aware.

Our initial investigations suggest this is isolated to customers linked to our Barclays Financial Planning business which we ceased operating as a service in 2011.

We will take all necessary steps to contact and advise those customers as soon as possible so that they can also ensure the safety of their personal data.

Protecting our customers’ data is a top priority and we take this issue extremely seriously. This appears to be criminal action and we will co-operate with the authorities on pursuing the perpetrator.

We would like to reassure all of our customers that we have taken every practical measure to ensure that personal and financial details remain as safe and secure as possible.”