23 June 2005
thisisLondon
A number of UK banks could to be investigated by the data protection watchdog following reports that details of 1,000 UK customers' accounts were sold in India.
The Information Commissioner's Office (ICO) said it seemed likely that a criminal breach of the Data Protection Act had occurred after a Sun reporter bought the details from an Indian man who claimed to get them from corrupt call centre workers.
The reporter was sold account details, addresses, passport and driving licence information, and credit card numbers for just £3 each.
He was also given the issue and expiry dates of bank cards, as well as the three digit security number from the back of the card, as well as passwords and answers to security questions.
The details would be enough to enable a fraudster to drain someone's account of money, buy goods over the internet or telephone using their credit card or apply for credit in their name.
The ICO said: "It is a matter of great concern that such customer details were apparently obtained so easily.
"It seems likely that a criminal breach of the Data Protection Act 1998 has occurred. We will be contacting the City of London police, as well as taking the matter up with those UK companies whose customers' details have been provided to The Sun.
"There are clearly questions for them to answer regarding the steps they are taking to ensure the security of customer data that call centre staff have access to."
He added that companies that used third parties to provide services involving the use of personal data, such as call centres, were legally required to ensure the reliability of these third parties and remained liable for any failures to adopt appropriate security.
The man selling the details, who said he got them from a network of call centre workers in Delhi, boasted he could get up to 2,000 account details a month.
