The Mail on Sunday reports that the bank has been subject to a massive data breach in which as many as 27,000 customer details may have been sold onto third-parties on the black market.
These details supposedly date back to 2008 and concern customers that had initially contacted the bank seeking financial advice from Barclays Financial Planning, a now-defunct business division that was closed in 2011. The details are said to include critical information including names, addresses, medical records, National Insurance and passport numbers.
The newspaper cites a former commodity broker for the tip, and says that the source passed on the details via a USB stick which contained files on 2,000 bank customers. The source said that the details had been sold onto City brokers and added that the files, which could be sold for as much as £50 each, could be used by unscrupulous brokers to persuade victims to buy “questionable investments”.
In response, the bank said that the data breach, which is in breach of the UK's Data Protection Law, looked like criminal activity and promised an investigation with the Financial Conduct Authority.
“This appears to be criminal action and we will co-operate with the authorities on pursuing the perpetrator,” said Barclays in a statement.
“Protecting our customers' data is a top priority and we take this issue extremely seriously,” a spokesperson said in a statement. “We would like to reassure all of our customers that we have taken every practical measure to ensure that personal and financial details remain as safe and secure as possible.”
The Financial Conduct Authority added: “Barclays have contacted us and we will be working with them to understand exactly what has happened and what steps consumers may need to take.
“Consumers rightly presume their data is safe with their bank, and this should serve to remind all firms how important it is they have the correct procedures in place to ensure data is secure and used appropriately. We will continue to investigate the issue with Barclays over the coming days.”
Steve Smith, MD of data security specialist Pentura, told SCMagazineUK.com that this latest data breach illustrates the need not only for data policies but also for companies to ensure safe storage and data disposal.
"This shows that even older customer data from closed businesses or subsidiaries can have real value if it should fall into the wrong hands,” said Smith. “It's critical that firms holding this type of sensitive data have policies to protect that information, and to control who has access to it, from when it's originally created right through to its long-term storage and disposal.
“This is the only way to control these types of breach, so that their origins can be traced and any vulnerabilities quickly closed.”
David Robinson, chief security officer at Fujitsu UK & Ireland, added that while banks are the most trusted sector for data security that could change in light of attacks like these.
“Data trust is at a ten year low amongst consumers. Our recent research showed that only nine per cent believed that organisations were doing enough to protect their data. Barclay's data breach will serve only to enhance this feeling,” Robinson said.
“Currently, banks are the most trusted sector when it comes to personal data. But, they are also the sector which can suffer the most from the loss, of it. While only one in four would switch banks due to an IT failure; a security breach, which leads to the loss of personal information, could lead to a massive seven in ten choosing to switch.”
Privacy lawyer Olivia Harrison, a solicitor at Field Fisher Waterhouse LLP, told SCMagazineUK.com that the breach could ultimately mean a heavy sanction for the bank.
"This is of course a very serious matter for Barclays, not just in terms of terms of the financial and regulatory consequences that could arise from action taken by the ICO and the FCA, but also in terms of the potential damage that could be done to Barclays' reputation," she said.
"In my view, the most significant point about this is that Barclays has been the subject of a criminal act and neither the regulators nor Barclays' customers or other members of the public should lose sight of this. Barclays must comply with certain legal obligations as regards the processing of its customers' personal data, but the law also makes it an offence for any person to obtain, disclose or sell that data without Barclays' consent."
Harrison added that "we have seen nothing yet to suggest" that Barclays had acted against its legal obligations, and said that it may yet be able to put together "very compelling legal arguments" should the regulators take action.