Barclays Bank is investigating a reported data breach. Approximately 27,000 customer details may have been sold on the black market.
The Mail on Sunday newspaper reports that the bank has been subject to a massive data breach in which as many as 27,000 customer details may have been sold onto third-parties on the black market.
These details supposedly date back to 2008 and concern customers that had initially contacted the bank seeking financial advice from Barclays Financial Planning, a now-defunct business division that was closed in 2011. The details are said to include critical information including names, addresses, medical records, National Insurance and passport numbers.
The newspaper cites a former commodity broker for the tip, and says that the source passed on the details via a USB stick which contained files on 2,000 bank customers. The source said that the details had been sold onto City brokers and added that the files, which could be sold for as much as £50 each, could be used by unscrupulous brokers to persuade victims to buy “questionable investmentsâ€.
In response, the bank said that the data breach, which is in breach of the UK's Data Protection Law, looked like criminal activity and promised an investigation with the Financial Conduct Authority.
 “This appears to be criminal action and we will co-operate with the authorities on pursuing the perpetrator,â€Â said Barclays in a statement.
“Protecting our customers' data is a top priority and we take this issue extremely seriously,†a spokesperson said in a statement. “We would like to reassure all of our customers that we have taken every practical measure to ensure that personal and financial details remain as safe and secure as possible.â€
The Financial Conduct Authority added: “Barclays has contacted us and we will be working with them to understand exactly what has happened and what steps consumers may need to take.
“Consumers rightly presume their data is safe with their bank, and this should serve to remind all firms how important it is they have the correct procedures in place to ensure data is secure and used appropriately. We will continue to investigate the issue with Barclays over the coming days.â€
Steve Smith, MD of data security specialist Pentura, told SCMagazineUK.com that this latest data breach illustrates the need not only for data policies but also for companies to ensure safe storage and data disposal.
"This shows that even older customer data from closed businesses or subsidiaries can have real value if it should fall into the wrong hands,†said Smith. “It's critical that firms holding this type of sensitive data have policies to protect that information, and to control who has access to it, from when it's originally created right through to its long-term storage and disposal.
“This is the only way to control these types of breach, so that their origins can be traced and any vulnerabilities quickly closed.â€
David Robinson, chief security officer at Fujitsu UK & Ireland, added that while banks are the most trusted sector for data security that could change in light of attacks like these.
“Data trust is at a ten year low amongst consumers. Our recent research showed that only nine per cent believed that organisations were doing enough to protect their data. Barclays' data breach will serve only to enhance this feeling,†Robinson said.
“Currently, banks are the most trusted sector when it comes to personal data. But, they are also the sector which can suffer the most from the loss, of it. While only one in four would switch banks due to an IT failure; a security breach, which leads to the loss of personal information, could lead to a massive seven in ten choosing to switch.â€
This attack comes just days after results were posted from the recent Waking Shark II exercise, where hackers targeted each bank's cyber defences. In the Bank of England's report, they certainly found some room for improvement - notably that the banks didn't collaborate with each other, didn't call the police when breached and also expressed confusion surrounding regulatory reporting.
