Last June, I blogged about an incident in which a journalist reported that he had purchased personal information about British residents from the employee of an outsourcing operation in India (see: The Canadian Privacy Law Blog: Undercover UK reporter buys personal information from Indian call centre).
At the time, the UK Information Commissioner said that the banks involved may face prosecution under the Data Protection Act. Following an investigation by the Information Commissioner, it is now said that there is no evidence that any personal information was compromised and there will be no prosecution. (I am not sure if this means there was no evidence or they didn't find any evidence.)
The UK police also said that they did not have any jurisdiction to investigate and financial regulators didn't bother to investigate. Somewhat troubling was the statement at the time that "Our concerns are whether adequate security controls were in place but a determined fraudster is always going to get through."