Barclays customer data debacle raises difficult questions
Revelations that Barclays confidential customer data was being sold on the black market have caused the bank some embarrassment over the weekend– but the incident raises more questions than it answers, according to observers.
“Assuming the reports are true, this type of data should be stored in encrypted form, so that it won’t be of any use to an outsider as they’ll see only gobbledygook,” Rik Turner, senior analyst at Ovum, told Banking Technology. “I would want to ask Barclays whether this data was stored in encrypted form, and if so how many people were authorised to access it. If it wasn’t encrypted, of course, that opens a different can of worms”
According to a report in the UK newspaper Mail on Sunday, an anonymous whistleblower approached the paper with a memory stick containing the personal files of 2,000 Barclays customers. The whistleblower claimed it was a sample from a stolen database that might have up to 27,000 customer files on it, and further alleged that the files were being sold for up to £50 per file. The files included information on customers’ income, savings, mortgages, health status and insurance policies. Based on the information, those customers were contacted and conned into buying non-existent investment products.
Barclays said that the files appeared to be related to its financial planning business, which was closed down in February 2011, but said that there was no proof that 27,000 customer files had in fact been compromised, and characterised the claim as “hearsay”.
The bank is preparing to announce its results tomorrow and and refused to respond to more detailed questions about the alleged breach.
Turner added that if the data had been encrypted but purloined by an authorised insider at the former unit, they would be able to get it as clear text. “Given that a whistleblower is involved, this does look like it was an insider job. Its identity and access management platform should guard the bank against such attacks, or at least keep a record of who within the bank is authorised to access what and who has actually been accessing it and when.”