Whistleblower exposes Barclays customer data theft

Up to 27,000 customers could be affected

Barclays Bank, which today has announced a 25 percent fall in profits, is investigating a major data breach that may have affected thousands of customers.

An anonymous whistleblower has provided The Mail on Sunday with a USB key containing files on 2,000 of the bank's customers. He claims that this is a sample from a database of up to 27,000 files of personal information that has been sold on the black market for up to £50 a file, enabling rogue traders to carry out investment scams.

The stolen information includes passport and national insurance numbers, customers' earnings, savings, mortgages, insurance policies and health issues.

The whistleblower, a former commodity broker, told the Mail: "This is the worst [leak] I've come across by far. But this illegal trade is going on all the time in the City. I want to go public to stop it getting bigger."

Barclays said that it contacted the Information Commissioner and other regulators on Friday, as soon as it was made aware of the theft.

"Our initial investigations suggest this is isolated to customers linked to our Barclays Financial Planning business, which we ceased operating as a service in 2011. Based on what we have seen, this appears to be data from 2008 or earlier.

"We will take all necessary steps to contact and advise those customers as soon as possible so that they can also ensure the safety of their personal data," the bank said in a statement.

It added that the incident appeared to be a criminal action and that it will "co-operate with the authorities on pursuing the perpetrator".

The sensitive information was provided to the bank when customers applied for financial planning advice and filled out forms, such as questionnaires that measured a customer's attitude to risk. Each file is about 20 pages long.

"The data is a gold mine for traders because it is so incredibly detailed," the whistleblower told the Mail. "It gets them inside the customer's head."

The whistleblower said that until last year, he worked with a firm of brokers that tried to persuade people to invest in "all manner of dodgy schemes". Knowing such personal information information about people could help brokers exploit their weaknesses and encourage them to invest in things like rare earth metals that did not exist. Up to 1,000 people could be victims of such scams, the whistleblower said.

The stolen data was distributed to the brokers as "Barclays leads", which the whistleblower claims he first became aware of in September, when he was asked to sell them to other traders for £8 a file.

He claims that his conscience "got the better" of him.

"It was all just so wrong," he told the Mail. "I wasn't a broker myself at this stage, but I had a business link to the firm."

When investors began to get suspicious, the firm of brokers tried to remove all evidence of the scams. However, the whistleblower kept the "Barclays leads" without the firm's knowledge.

The Information Commissioner's Office can impose fines of up to £500,000 on organisations that fail to protect customer data in line with the Data Protection Act.

Meanwhile, the Financial Conduct Authority (FCA) has the power to levy fines in the millions of pounds in data loss cases.

In 2012, Barclays received a fine of £59.5 million from the Financial Services Authority (FSA), the previous incarnation of the FCA, for misconduct relating to the reference rates at which banks lend to each other, known as London Interbank Offered Rate (LIBOR).

Join the CSO newsletter!

Error: Please check your email address.

Tags Barclays Banksecurity

More about Barclays Global Investors Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anh Nguyen

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place