UK bank details of over a million people have been discovered on a computer sold on eBay.
A computer sold on the auction site for £35.88 was revealed to have information on American Express, NatWest and Royal Bank of Scotland customers with data including names, addresses, mobile phone numbers, bank account details, mothers' maiden names and signatures.
The details were found on the hard drive of the computer by its buyer Andrew Chapman, an IT manager from Oxford, reports the Daily Mail.
The computer originally belonged to data storage firm Graphic Data and was sold by a former employer.
A further computer is reported missing.
An RBS spokesperson said: "Graphic Data has confirmed to us that one of their machines appears to have been inappropriately sold on via a third party.
"As a result, historical data relating to credit card applications from some of our customers and data from other banks were not removed."
She added: "We take this issue extremely seriously and are working to resolve this regrettable loss with Graphic Data as a matter of urgency."
Graphic Data, which is investigating the data loss, claimed the computer was taken and sold without the firm's consent.
"The IT equipment that appeared on eBay was not planned to be disposed by the company and investigations are still ongoing to find out how this equipment was removed from one of Graphic Data's secure locations," a spokesperson said.
"This incident is extremely regrettable and we're taking every possible step to retrieve the data and ensure this is an isolated incident."
James Jones, at credit reference agency Experian, is urging consumers worried about the loss not to panic.
"The information has not fallen into criminal hands and unless you are careless with your personal details banks will foot the bill for any losses from identity fraud."
He added those concerned should check bank and credit card statements for any irregularities and check their credit report.
"Being a victim of identity fraud is stressful and the three main credit reference agencies now do share information of those affected."
The Information Commissioner which looks into to public and private data loss is also now investigating.
Although the body has no powers to fine any responsible parties, it can issue an enforcement notice for a firm to meet the Data Protection Act. Failure to meet this is a criminal offence.