Over 1 million American Express, Royal Bank of Scotland, and NatWest customers' details have been sold on eBay.
The details were stored on a server, bought for just over £35 (US$64) by Andrew Chapman, an IT manager from Oxford, England, last week. Chapman told ZDNet Asia's sister site ZDNet UK on Tuesday that the server, a network attached storage (NAS) box, contained unencrypted backups of CDs.
"A professional organization holding this kind of data should have tested the disks to make sure [the information] was destroyed," said Chapman.
The computer had been used by data-archiving firm Graphic Data to store the details on behalf of RBS, of which NatWest is a subsidiary. Details included names, addresses, bank account numbers, telephone numbers and customer signatures.
RBS said on Tuesday that it was in the process of investigating the incident.
"Graphic Data has confirmed to us that one of their machines appears to have been inappropriately sold on via a third party," RBS said in a statement. "As a result, historical data relating to credit card applications from some of our customers and data from other banks were not removed. We take this issue extremely seriously and are working to resolve this regrettable loss with Graphic Data as a matter of urgency."
Graphic Data, a subsidiary of Sala International, said it had not planned to dispose of the server, and was investigating how it had appeared on eBay.
"The IT equipment that appeared on eBay was not planned to be disposed [of] by the company and investigations are still ongoing to find out how this equipment was removed from one of Graphic Data's secure locations," the company said in the statement. "We take customer privacy and data security very seriously. This incident is extremely regrettable and we're taking every possible step to retrieve the data and ensure this is an isolated incident."
The Information Commissioner's Office (ICO) said it would be investigating the breach.
"It is essential that companies have appropriate procedures in place to ensure that personal records are kept secure at all times, the ICO said in a statement. "If companies are disposing of computer equipment they must take the necessary steps to ensure that any personal information stored on the hard drive is rendered unrecoverable. We are now investigating this potential data breach and will be seeking an urgent explanation from Graphic Data to establish what has gone wrong and the steps that are being taken to prevent a similar incident occurring."
Neither eBay nor American Express had responded to a request for comment at the time of writing.
This data breach follows the compromise of details of 84,000 prisoners in the United Kingdom by a Home Office subcontractor last week.