Personal information gathered from price comparison websites may have been used without people’s knowledge or consent by pro-Brexit campaigners in the European referendum.

An ex-director of Cambridge Analytica told parliament last week that she believed the Leave.EU campaign, headed by Nigel Farage and bankrolled by Arron Banks, may have breached data protection laws by using people’s private information without consent. She said she had seen with her “own eyes” how Leave.EU had apparently targeted customers of Eldon Insurance – owned by Banks – using their private data to promote anti-Europe messaging.

Banks, Leave.EU and Eldon have vehemently denied having shared any such data, either with each other or with Cambridge Analytica. But a “subject access request” submitted to Eldon has revealed that it holds data not just on its own customers, but also on people who have submitted a query to a price comparison website (PCW), which involves them agreeing to the site’s privacy terms.

A subject access request is a legal mechanism for individuals to obtain information from companies about what personal information the company holds about them, why it is held and how it is used. Such a request has revealed that personal details from a car insurance query to the PCW Moneysupermarket were passed to Eldon and held in its database. The data included name, date of birth, address, email address, details of friends and family and telephone number. In its last annual report, Moneysupermarket said that it held data on 24.9 million people – or about half the British electorate.

A spokesman for Moneysupermarket said: “Our providers use the personal information from our customers to generate personalised quotes for the service they have asked for (such as quoting for car insurance) and are not allowed to use this information for anything else unless they have permission from the customer.”

Potential customers who use most price comparison websites enter multiple pieces of sensitive personal information into an inquiry form that is then passed to partner companies. The privacy terms of the PCWs make clear that such data sharing may occur. The fact that this happens, however, raises the prospect that people who simply searched for insurance online via a PCW could have had their private information shared in a way they might not have realised.

Ravi Naik, a lawyer who specialises in data rights, said it would be “an astonishing misuse” of data. “It’s absolutely huge,” he said. “In theory, commercial operators could have access to almost every voter in the UK. People should be very concerned. This would absolutely be in breach of the second principle of data protection – that data gathered for one purpose isn’t used for another purpose.”

Arron Banks. Photograph: Suki Dhanda/The Observer

Brittany Kaiser, an ex-director of Cambridge Analytica, gave evidence to the select committee of the Department for Digital, Culture, Media and Sport last week that Banks asked Cambridge Analytica to combine data from different sources in order to profile and then target voters in the European referendum: “He asked us to design a strategy where we could work with Leave.EU, Ukip and Eldon Insurance data together.”

She also submitted documents that showed “complementary work streams” for Ukip, Leave.EU and Eldon insurance.

Banks owns Eldon, the umbrella group for various insurance brands that includes the GoSkippy brand and underwrites Debenhams insurance. The Leave.EU campaign was based inside its headquarters in Bristol.

Kaiser described a visit to the offices and told MPs that she had seen with her “own eyes” that Leave.EU staff were using insurance customers’ data to target them with political messaging.

“I was under the impression, by what they told me, that every single individual that they were pulling up to call was actually a lead or a current customer of Eldon Insurance or GoSkippy,” she said.

Leave.EU said that Kaiser’s testimony was “a confused litany of lies and allegations”. Lawyers for Banks and Eldon said such allegations were “highly defamatory”, that none of these allegations was true, and that there was no evidence to support them. They said Leave.EU and Eldon have never shared any data and that Leave.EU has never shared any data with Cambridge Analytica, whether in relation to the referendum or otherwise.

Last week, the Observer revealed that Leave.EU and Banks had received “information notices” from the Information Commissioner’s Office in the same week that the regulator had conducted a raid on Cambridge Analytica’s office and seized computer equipment. Both actions are part of its year-long investigation into the use of data in the referendum.

The DCMS committee, which is conducting an inquiry into fake news, also published interviews that Emma Briant, a lecturer in propaganda at Essex University, conducted with directors of Cambridge Analytica and the Leave.EU campaign. It included a recording of Andy Wigmore – a director of Eldon Insurance and spokesman for Leave.EU – making claims about how Eldon’s actuaries had been used to analyse data during the referendum.

Wigmore told the Guardian last week that no actuaries had been employed by the campaign. Last year, he told the Observer that the campaign had used artificial intelligence that it had developed inside Eldon’s headquarters. He said: “In insurance you have actuaries. Actuaries look at data, it’s all they do.”