/ Money

Is your bank keeping your details safe? Probably not…

Hand opening a safe

It’s rarely made public, but banks and building societies put your details at risk hundreds of times a year. And yet they hold some of our most sensitive data – so why can’t we trust them with it?

It’s almost impossible for us to find out just how good banks are at keeping our financial details safe.

That’s why we used Freedom of Information Act requests to the Information Commissioner’s Office (ICO) to find out how many data protection breaches banks and building societies have made. From August 2009 to August 2010 there was a total of 515 likely breaches made by eight of the UK’s biggest banks and building societies.

What happens when banks break the rules?

The Information Commissioner’s Office (ICO), which is responsible for upholding the rights we have over our personal data, has the power to force banks to take action or even fine them when they break the rules. But if the ICO decides that such action isn’t necessary to deal with the problem, the breach is not made public – this was the case in all 515 likely breaches made.

Barclays was the bank with the most potential breaches with 116 complaints, followed by Lloyds TSB with 114 and Santander with 103.

Over half of all complaints arose from firms failing to provide customers with copies of the data held about them properly. Other potential breaches included banks holding inaccurate data about customers, failing to follow security measures and the disclosure of data to third parties.

Our research also shows that only 13% of consumers know that they can complain to the ICO. Plus, there’s no obligation for an organisation to tell its customers or the ICO about the potential data protection breaches it has made, which means the 515 complaints we know about are probably just the tip of the iceberg.

What needs to change?

So what needs to change here? For a start, it should be made a requirement for banks and building societies to tell the ICO about all potential breaches. Plus, banks need to compensate people if a breach has caused them stress or they have had to spend time fixing the problem, such as by cancelling and ordering new bank cards.

We also want the ICO to publish all breaches it has come across on its website so that customers won’t be kept in the dark about the safety of their data anymore.

Do you feel that your financial details are safe with your bank? Have you ever experienced problems due to a data breach?


Time and again we hear about data breaches and nothing is done. This problem will never be solved until all offenders are identified, prosecuted and hefty fines imposed. This is the only language that these large firms understand. If the Information Commissioner keeps the information so secret that it takes action by Which? under the Freedom of Information Act to obtain the information there will never be confidence in data security. The Information Commissioner should be legally required to publish all breaches, action taken e.g. advice/prosecutions and the results.

Mikhail says:
3 June 2011

In Britain most people have some sort of “privacy schizophrenia”. Most banks have 2-3 stages of login barriers, so not only the thieves cannot login but their victims either. So if one wants to see an absolutely secret transaction made in Tescos, user ID, password, 3 characters of memorable word and possible an extra device will be needed. As long as it is impossible to remember all these bits of information most people, including me, save or write it down on a piece of paper, thus, making the info even more vulnerable than the ‘12345’ passwords. I would prefer a user name and password that I can change to view my transactions, as this is what I do most of the time when I login to my internet banking and if I need something else, e.g., send money, set up a new SO or cancel DD ONLY then go through extra security!

The second most popular disease here is megalomania. It seems to me everyone thinks they are so important and get stressed even if the bank replaces a debit card. I don’t care if anyone can see my bank transactions; it is not as if I’m buying drugs, guns and Viagra using my plastic card! There is an amazing service in the USA which can collect and analyse data from all my credit and debit cards producing very useful charts and stats to help one to stay in control of expenditure. Again in the UK it has been done in the most stupid way, i.e., most banks have this service separately or don’t have at all; if I have more than 1 debit card it is useless. Combine phone directory, postal code DB and open electoral register and you will get all needed information of at least 70-80% of population anyway without any hassle.