Websites sell secret bank data and PINs

Security breaches that are allowing the financial details of tens of thousands of Britons to be sold on the internet are to be investigated by the country’s information watchdog.

Without paying a single penny, The Times downloaded banking information belonging to 32 people, including a High Court deputy judge and a managing director. The private account numbers, PINs and security codes were offered as tasters by illegal hacking sites in the hope that purchases would follow.

Richard Thomas, the Information Commissioner, will begin an investigation into the security breach today and Scotland Yard is also investigating. Experts said that the findings suggested that more personal data than ever before was going astray. The Times found: More than 100 websites trafficking British bank details A fraudster offering to sell 30,000 British credit card numbers for less than £1 each A British “e-passport” for sale, although the Government insists that they are unhackable.

The discovery comes as public alarm is growing about the dangers of identity theft. HM Revenue & Customs has yet to retrieve two lost CDs containing the banking details of 25 million Britons, which ministers admitted had vanished in the post a fortnight ago. At current underworld prices, these could fetch more than £100 million if they fell into the hands of hackers.

The News of the World disclosed yesterday that it had been handed two discs mislaid by the Department for Work and Pensions containing the national insurance numbers of 18,000 claimants.

Last year The Times discovered internet chatrooms where the hacked credit card details of 400 British people were being sold every day.

A spokesman for Mr Thomas said: “We will be looking at the evidence you have provided and investigating the circumstances. This looks serious and is a matter of genuine concern.

“We can take action against UK-based organisations that flout the Data Protection Act. If some of these websites are not UK-based we will work with our counterparts in the relevant country.”

Mr Thomas will address the Commons Justice Committee tomorrow on the addional powers that he says are needed to prevent breaches of data protection. He believes that reckless failure to protect information should result in prosecution and that his staff should have powers to raid government and business premises.

Hacking sites act as online bazaars for stolen personal information. They are well run, hierarchical groups structured like businesses. Some even have review sections where buyers can recommend a particular fraudster.

Geraldine Hernon, 30, of St Ives, Cambridgeshire, was shocked to hear that her credit card number, expiry date and security number were online with her address, telephone number and e-mail address. She said: “I can’t believe it. I will have to change my whole account. It is terrifying that people have the information. It is personal information. I feel really scared.”

The bank details of Robert Seabrook, QC, a deputy judge and former chairman of the Bar Council, were also freely available. He, too, described the breach as terrifying. “I am profoundly concerned,” he said. “One reads about the anxieties of data in the public domain but it is disconcerting to hear something so personal being available. If you can get this sort of thing for free who knows what is below the water line?”

Neil Munroe, the director of the credit reference agency Equifax and an expert on internet fraud, said that the depth of information obtained by The Times was greater than he had ever seen. “The detail you have got is very disturbing,” he said. “Normally we only see credit card numbers coming up but you have got e-mails, addresses, security and PINs. Everything. It is very scary.”

Senior police officers are concerned that current methods of dealing with large-scale data protection breaches are unworkable. Detective Chief Inspector Charlie McMurdie, of the Metropolitan Police e-crime unit, said: “At the moment people report internet crimes to a local police station but no one locally has the resources to investigate properly.”

Since April customers have been told to report card crimes to their banks rather than to the police. Mr McMurdie, backed by the main banks, has asked the Home Office for £1.3 million to fund a central e-crime unit.

Stolen identities

Criminals use three main methods to extract personal information

– Viruses contained in e-mails that install malicious software to collect information such as login names, bank account details and credit card numbers. Make sure you use up-to-date antivirus software

– Handheld credit card readers are used to “skim” cards and copy data that is then used to clone another one. Check your accounts regulary for unusual transactions

– Bin raiders go through rubbish bins to find discarded bank statements and utility bills. Make sure that all personal documents are shredded before you throw them out