"The Royal Bank of Scotland acknowledged that a machine belonging to archiving company Graphic Data and sold "inappropriately to a third party" had information on credit card applications from some RBS customers and data from other banks. The computer contained account numbers, passwords, mobile telephone numbers and signatures."

"A former employee from Graphic Data sold a computer server used by the company on eBay without wiping the internal hard drive, said Nicole Morgan, a spokeswoman for MailSource UK, which now owns Graphic Data.
.
.
.
The buyer, Andrew Chapman, said he found the data when he looked at the machine's hard disk. "I was appalled when I found the bank account information. That sort of thing shouldn't have been listed on there," he said. "It would have been possibly quite easy to find if you know something about computers."
.
.
.
The security breach became known when Chapman found the information and contacted authorities."
.
.
.
"The IT equipment that appeared on eBay was neither planned nor instructed by the company to be disposed" she said. "This incident is extremely regrettable and we're taking every possible step to retrieve the data and ensure this is an isolated incident."

There are so many things that appear could be wrong, missing and vulnerable in this situation. Just a few of the possibilities...

• The insider threat; an employee (ex now) taking it upon his or herself to sell an old laptop
• Possibly no policies for data disposal, laptop security, PII controls, computer retirement, and so many other possibilities
• The lack of controls within a vendor/contractor; looks as though the Royal Bank of Scotland (RBS) outsourced work to Graphic Data, who caused the incident
• Lack of data inventory and data tracking; RBS and Graphic Data would never have known the data was on the sold computer unless the buyer had contacted them! Just think of all the malicious things the buyer could have done with the PII of over 1 million people!