Spank shops specialize in selling commodities at such inflated prices that they are effectively worthless to the customer. The sales usually include an 'exit date' at which point the investor can expect to receive his return – but before which the spank shop closes down and moves on. Access to personal data on the target 'victim' allows the trader to 'get inside the head' of the victim and offer what is likely to be a tempting deal.
The scandal came to light when an anonymous former commodity broker handed the Mail on Sunday a memory stick containing 2000 files on customer details, and claimed to have a database of 27,000 similar files. The Mail is working with both the Information Commissioners Office (ICO, able to impose fines of up to £500,000 for serious breaches of the Data Protection Act) and the Financial Conduct Authority (FCA, able to impose unlimited fines).
Barclays issued a statement Sunday. "Our initial investigations suggest this is isolated to customers linked to our Barclays Financial Planning business which we ceased operating as a service in 2011. Based on what we have seen, this appears to be data from 2008 or earlier." This certainly fits with the information provided by the whistleblower – the files contain very detailed and personal information that would help a legitimate financial planner advise on the most appropriate investments.
Barclays Financial Planning had a troubled history. The files disclosed to the Mail "are believed to have been customers of the now defunct Barclays Financial Planning business, which was fined £7.7m in 2011 and ordered to pay up to £59m in compensation for mis-selling investment funds to more than 12,000 customers," notes the Guardian.
What is not yet clear is how the files were stolen from Barclays. Whether an external breach by a hacker, or insider theft, or simple 'lost and found' is to blame, one thing seems clear: the now defunct Barclays Financial Planning organization lacked adequate corporate governance. "It's critical," said Steve Smith, managing director of Pentura, "that firms holding this type of sensitive data have policies to protect that information, and to control who has access to it, from when it's originally created right through to its long-term storage and disposal. This is the only way to control these types of breach, so that their origins can be traced and any vulnerabilities quickly closed.”
Colin Tankard, managing director of Digital Pathways, believes that the solution is a combination of activity monitoring/auditing and data encryption. The former controls staff who have a legitimate right to access the data by "limiting the number of records they can access and watching, and stopping... any unusual activity such as the copying large numbers of records," he said.
Encryption should be used to protect data from those who have no right or no need to see the data. "By linking encryption with access rights," he explains, "movement of data is enabled but no one is able to read it. If the Barclays data had been robustly encrypted, even though it had been downloaded to a USB stick, the data would be useless, as it could not be read."