FOR years now we have been lectured by banks and other financial institutions about the need to protect ourselves against identity theft. But what if the institutions themselves are putting us in danger?

This appears to have happened for up to a million customers at Royal Bank of Scotland and its NatWest subsidiary, as well as American Express, after a computer containing sensitive personal details was sold on the auction website eBay for just £35.

The details formed part of credit card applications dating back to 2005. The information included many customers' names, addresses, dates of birth, mobile phone and home phone numbers, as well as signatures, annual income, bank account numbers, bank sort codes and the 16-digit number of the credit cards they were granted.

Andrew Chapman, the IT specialist who bought the computer on eBay and discovered the information on its hard drive, described it as "a data thief's treasure chest".

The data had been held by Essex archiving company MailSource, also known as Graphic Data. The firm copies paperwork from some of the UK's biggest financial institutions, including RBS, and stores it on their behalf. It is not clear whether the computer's disposal was deliberate or a case of theft.

A company spokeswoman says: "The equipment that appeared on eBay was in a secure, locked environment and was not planned to be disposed of by the company. Investigations are still ongoing to find out how this equipment was removed from one of our secure locations."

However, the Information Commissioner's Office, the watchdog in charge of personal data security, has now opened an inquiry into what happened. A spokesman there says: "It is essential that companies have appropriate procedures in place to ensure that personal records are kept secure at all times.

"If companies are disposing of computer equipment they must take the necessary steps to ensure that any personal information stored on the hard drive is rendered unrecoverable."

A spokeswoman at RBS says: "Graphic Data has confirmed that one of its machines containing historical data relating to credit card applications from some of our customers was removed from one of its secure locations.

"Graphic Data has now safely retrieved the machine and the data it contains. We will now forensically review the data as a matter of urgency. While at this stage we believe the machine and its contents have not been compromised, our investigation team are reviewing the machine so that we can give reassurance to any customer affected by this incident as a matter of urgency."

City watchdog the Financial Services Authority (FSA) is investigating what happened and is known to take such cases extremely seriously. Previous financial firms where personal data has been lost include Norwich Union and Nationwide – and they were fined £1.26m and £980,000 respectively last year.

A spokesman says: "The FSA takes data security seriously and expects regulated firms to do all they can to protect their customers' details, including ensuring that any part of their business which is outsourced abides by the same high standards expected of the firm."

The investigation follows a review of systems and controls for data security at 39 firms including banks, building societies, insurance companies and financial advisers.

Despite examples of "good practice" the FSA found across the industry, however, many firms still underestimate the risk of data loss and fraud to their businesses, and especially to their customers. Poor practice included firms not proactively checking that third-party suppliers vet their employees or have adequate security arrangements in place to prevent unnecessary access to customer data.

Also, on occasions of significant data loss, firms seem more concerned about adverse media coverage than on being open and transparent with their customers, according to the watchdog's research.

This latest incident, coupled with the loss by HM Revenue & Customs last November of two computer discs with names, addresses, dates of birth, National Insurance numbers and bank details of 25 million people, has also cast a spotlight on the ease with which fraudsters can gain the details they then use to steal people's identities.

Many financial providers have responded to the ID theft threat by offering consumers insurance packages that promise to help them if their personal details are stolen and used for fraudulent purposes.

Policies can cost from £20 a year with Saga to £60 a year with Barclaycard. Some offer payments of up to £50,000, to be used towards bills such as legal fees, lost wages and costs for rejected loan fees.

But Peter Gerrard, insurance expert at the Moneysupermarket.com price comparison site, points out that money stolen from your bank account or a credit card as a result of identity theft will be refunded, whether or not you have this cover, provided you have not been negligent.

He says: "I personally don't think (these policies] are all that worthwhile. You can eliminate the need for a policy by taking 15 minutes to protect yourself in the first place."


Keep hands off your data

Regularly check your personal credit file to check it is accurate.

• Check bank and credit card statements to make sure there are no unfamiliar transactions.

• Cancel lost or stolen cards immediately.

• Use a shredder to get rid of documents you don't need.

• Never give personal or bank details to anyone who contacts you unexpectedly.

• Don't use the same password for more than one account. Be ready to lie, for example, if a security question includes your mother's maiden name, make another one up.

• Make sure you have up-to-date security software installed on your computer.

• Never tick 'yes' to share your details with third parties.

• Give away only the minimum details on social networking sites and understand privacy settings.

• When moving, tell all the organisations you have dealings with. Use a Royal Mail Redirect for at least a year to ensure all post is forwarded to you.

• One final 'nuclear' option for those who believe someone may already have accessed their personal details is to move to a new current account and savings account – therefore receiving new account numbers.