Update: Jagex has issued a statement saying that no credit card or banking information was lost as a result of the breach.
"Further to yesterday’s announcement, we can confirm that none of our players’ bank or card details were compromised," it said. "We work with an industry-respected, fully compliant third-party payment processor, to purposefully avoid staff having access to players’ full bank or card details. This also applies when players choose to save their details at payment stage for any future purchases. Jagex undergoes regular, third-party testing to ensure we maintain the highest security standards."
A couple of months ago, an Old School Runescape player who goes by mazrim_lol on Reddit claimed that a "serious data breach" had caused him to lose 45 billion coins on his main account. His claims were dismissed by a number of other players, several of whom suggested that it was his own fault for not having the account properly secured, or that he might be lying about it completely. But it came to light today that he wasn't lying, and that he was correct about the data breach, which was actually an inside job at Jagex.
"We confirm that a Member of The Old School Team was dismissed from employment at Jagex following gross misuse of moderator privileges," Jagex said in an announcement posted today. "During our rigorous routine system checks, irregular activity was identified on small number of accounts, including the movement of wealth and items back into the live game."
"Following our investigation, we were able to resolve the issue before any significant impact was made to the wider game, or economy. We have also taken steps to return items and GP to any affected accounts. Whilst we generally do not return items or gold, we feel that given this unusual situation, we wanted to ensure no players lost out to the rogue actions of a member of staff."
Jagex added that it's "working with the police" regarding the incident—45 billion coins has considerable real-world value—but said it could not provide further details. However, according to this Resetera thread the employee in question is Jed Sanderson, aka Mod Jed, who may actually have stolen in excess of 100 billion coins in total, worth over $100,000 on gold-selling markets. He's also allegedly involved with the Reign of Terror clan, which has been accused of using DDoS attacks to impede opponents in tournaments, including a $20,000 tournament that took place in September of last year. Jagex said at the time that its investigation had found no evidence of wrongdoing by Sanderson, but in the wake of all this I expect that it will be taking another look.
In a follow-up post, Mazrim_lol shared an image of a message he received from Jagex Player Support, informing him that, because of the "rare circumstances" of the case, it has decided to restore his lost wealth. "We take matters like this very serious and, as such, we would like to assure you that we have taken steps to make sure that an incident like this will not happen again," Jagex wrote.
Happily, Mazrim_lol is taking his vindication graciously: "All the redditors who spent ages telling me I was just lax with security can suck a fat one," he wrote.