A data breach whistleblower said NatWest files under her bed contain current customer details, contrary to the bank’s claims that it is historic information.
The former worker at the Royal Bank of Scotland (RBS), part of NatWest Group, has been in dispute with the bank for more than a decade over the confidential customer data files stored in her home.
To test NatWest’s assertion that the customer data is historical, the former staffer, now a registered data controller, claimed she has established that some of the data belongs to current customers.
In 2006, the data was sent to the worker’s home as part of a work arrangement – in breach of data protection rules. The worker was given the opportunity to work from home and, on the bank’s instructions, used customer banking information to help her generate mortgage and loans business. Over three years, she received thousands of paper documents, many of which – about 1,600 – are still stored in her home.
When the worker became concerned that the arrangement could breach data protection rules, she put everything in writing to her manager and inadvertently blew the whistle on the bank’s lax data security practices.
She was advised to obtain a receipt from the bank before handing back the information to protect her own position from possible future litigation.
The former worker was sacked by the bank in 2009 and has been calling on the bank to collect the files ever since.
In 2012, the Information Commissioner’s Office (ICO) investigated the case and slapped the bank’s wrist over the arrangement.
The ICO said while this incident was a “local” issue at branch level, RBS did not maintain compliance with the seventh data protection principle during the period in question: “Both parties were made aware of this decision. No further action was taken by this office and the case was closed and remains closed.”
The bank said it wants the files returned, but will not agree to conditions set to protect the former worker from future potential action from the bank’s customers.
NatWest has claimed the data is historic and that there has been no customer detriment.
In 2019, then CEO at RBS, Ross McEwan, emailed an MP looking into the case and stated: “To clarify the bank’s position with respect to the return of the documents, the bank’s interest does not lie in the documents themselves, which are historic and very likely to be obsolete.”
The bank told Computer Weekly that it does not believe what it describes as “historical documentation” poses any risk to customers.
But the whistleblower said she has established that some of the data files relate to existing customers and has informed the bank and the ICO.
“I have put to the test the bank’s assertion that this data is historical and that it poses no risk to customers, and I have established that some of the data is live/existing customers. I immediately informed the bank and the ICO of this,” the former RBS worker told Computer Weekly.
The ICO has worked with both parties since 2012 for the safe return of the files, but negotiations failed and the ICO ended its involvement in July 2021.
Computer Weekly asked NatWest why it believes the information is historical, despite having no record of the data. “We have nothing further to add to our background and statement,” it said.
The statement the bank referred to, which it has used before, does not address the question put to it. It said: “This former employee was dismissed in 2009 for gross misconduct as a result of her repeated refusal to return customer information. There has been no customer detriment and the bank does not believe that this historical documentation poses any risk to customers.
“The situation could have been resolved at any point in the past decade through the return of the documentation, as the former employee claimed to have done in 2012. Instead, she has sought payment and concessions from the bank in exchange for the documents.”
The former worker vehemently denies this. “NatWest accused me of demanding money in exchange for the documents. This is not true. All I have ever asked from the bank is that they provide me with an adequate receipt in exchange for return of the documents, which I have carefully looked after for 14 years, that offers me peace of mind,” she said.
“I need to know that there will be no repercussions, from what I was being asked to do by the bank during my employment, or once I give the documents back. The bank has not exactly acted fairly over the last 14 years.”
As part of the ICO investigation in 2012, the former worker handed over thousands of files to the regulator, which were subsequently returned to NatWest. However, she retained a box containing the 1,600 customer files to give her evidence for any legal proceedings, of which the ICO was made aware.
In February this year, an attempted burglary of her home highlighted the precarious security of the confidential documents.
Computer Weekly asked the ICO whether its stance would change if the data was live data, belonging to current customers.
An ICO spokesperson said: “The ICO has provided advice on data protection issues to parties involved in an employment dispute dating back to 2009. We are satisfied that the potential risk posed to individuals does not warrant further action, despite there being a change in the law [GDPR] since that time.”
In her last correspondence with the ICO, the former employee was told by its director of legal services, James Moss, to contact the bank.
She has written to NatWest seven times since the beginning of March, with no response since Craig Berry, head of litigation and investigations at NatWest, told her: “Your ongoing briefing of journalists is not assisting in any regard.”
The former worker told Computer Weekly: “It has taken more than a decade of my life, trying to get the bank to do the right thing. This has come with devastating professional and human consequences for me. My mental health has been affected as a result of trying to challenge the bank; my career was destroyed.”
She said she identified a serious data breach in 2008, which she believes placed bank customers at risk of being targeted. “I don’t know if the bank managers who were responsible were ever sanctioned for the release of such sensitive information. For reasons that only the bank will know, it decided to dismiss me from service rather than protect me for speaking up,” she said.
“The current senior management at NatWest haven’t engaged in any conversations with me and I feel the full force of responsibility to protect this data. I don’t want the bank to come after me, I want the bank to help resolve a situation that it created.”