More than 16.5 million people were placed at risk of identity theft

More than 16.5 million people were placed at risk of identity theft, after their details were lost or stolen from financial services firms, Computer Weekly has learned.

The figures, obtained by Computer Weekly under the Freedom of Information Act, show more than one in four UK consumers have been placed at risk by financial firms last year.

The disclosure has sparked calls from opposition MPs for legislation to force financial services companies to report incidents to the Financial Services Authority.

Financial services companies reported 56 incidents of lost or stolen data to the Financial Services Authority (FSA) last year, Computer Weekly has learned.

Investigations by the watchdog revealed the firms had lost 16.57 million customer records in a total of 39 security breaches.

But the number of customers affected may be even greater. The FSA identified another 14 incidents where it was unable to determine the number of compromised records. And experts warned there is no guarantee firms always come clean to the regulator.

“If consumers find their banking information or identity is lost then the costs are high,” said security consutant Graham Cluley of Sophos. “If identity thieves get hold of the information then consumers’ financial circumstances could be in a state of crisis.”

Shadow Home Affairs Minister James Brokenshire called for greater controls on the security of personal data.

“With more and more people becoming the victims of identity fraud and other scams using personal information, we need to raise the bar on data security risk management,” he said.

The data protection watchdog, the Office of the Information Commissioner, said it was disappointing some firms were still failing to adequately protect their data.

“It is disappointing that some organisations are still failing to take their data protection responsibilities seriously,” said a spokesman.

“We have repeatedly called on chief executives to ensure that the security of individuals’ details is taken very seriously.”

An FSA spokeswoman said: “We expect firms to tell us about significant data loss and would take a dim view if we found out later that a firm had failed to notify us. We said in our data security report that it is possible that some data losses go unreported.”

The regulator refused to name the companies involved but has advised them to notify customers.

Security consultant Matthew Pemble, a former incident response manager at a major high street bank, said: “This figure is startling but we need to concentrate, not necessarily on the number, but on whether this is a high risk. A lot of high-scale losses of data occur when data has just gone missing rather than ending up in the hands of fraudsters.”

Fifty six data loss cases were investigated by the Financial Crime Operations team at the FSA in 2007, according to FOI statistics obtained by Computer Weekly.

Incident Number of occurences

Lost or stolen laptops containing customer data 19

External attack on computer system or database containing customer data 2

Customer data sent to wrong recipient 7

Lost CD/other media (USB stick, microfiche, back-up tapes etc) containing customer data 14

Multiple customers’ statements or credit cards lost or stolen in the post 4

Stolen briefcase containing customer data 1

Stolen filing cabinet containing customer data 1

Multiple customer data stolen or removed from firm without authorisation by an employee or contractor 4

Hardware disposed of without being adequately cleaned of customer data 1

Stolen server containing customer data 1

Investigation of general data security systems and controls weakness 1

Insecure disposal of confidential paper 1

Copyright ? 2008 Reed Business Information – UK. All Rights Reserved.