Whistleblower contacts NatWest customers affected by a decade-old data breach

Former worker says contacting the people affected by the data breach is her last resort after the bank and regulators appear satisfied that the sensitive data file is safe stored under her bed

Karl Flinders,
Chief reporter and senior editor EMEA

Published: 12 Jul 2023 13:15

A whistleblower is contacting NatWest customers affected by a data breach which has forced her to store the sensitive information of around 1,600 of the bank’s customers in her home for over a decade.

The former administration officer at Royal Bank of Scotland, now part of NatWest Group, had already worked at the bank for 10 years when she began to be sent documents to keep at her home as part of a remote working agreement between 2006 and 2009. Her job was to contact customers using the data to generate mortgage business for the bank.

As revealed by Computer Weekly two years ago, the former worker, who wishes to remain anonymous, has been attempting to get the bank to take back the paper-based customer files, in return for a guarantee in writing that if any of the data is misused there will be no repercussions on her, which she said the bank has given verbally but not in writing. She also wants an apology from the bank’s CEO Alison Rose for “the nightmare” the bank has put her through.

The bank has so far said it would provide a signed and dated receipt for the documents, stating: “NatWest Group confirms that all of the documents in the schedule of material provided by [the former worker] have been received as at the date of delivery.”

But the former worker, who has had to register as a data controller at her own cost, told Computer Weekly, a receipt alone is not enough and would not offer the peace of mind that the bank would not implicate her or her family in any future investigation relating to these customers. The documents are stored under her bed.

The Information Commissioner’s Office (ICO) and the Financial Conduct Authority (FCA) have both told the former worker they cannot give her any further help. Due to the stalemate, she contacted the ICO and the bank to inform them that she will start contacting the people using the data in the files.

NatWest has claimed that the data in the files is historic and that there has been no customer detriment, but the whistleblower has already made 20 calls and spoken to 14 people, of which none have said they are no longer NatWest customers.

She said it has been extremely difficult for her to make the calls and recognises how worrying it is for the people contacted, but added that the calls have been received well. “Nobody has put the phone down and one said I am very brave for doing what I am doing,” she told Computer Weekly.

Those contacted so far have had many questions and the former bank worker has given them the contact details of NatWest CEO Alison Rose, the bank’s head of litigation and investigations Craig Berry, and the ICO.

“It has been 14 years before I did this and it is the last resort,” she said. “Last month, I travelled by train to the bank’s head office in London. I got to reception in the hope that I could speak with anyone at NatWest about the customer data left in my property so many years ago.

“I bought some copies of the original data with me because I thought it was important that I show this to somebody at the bank. I was only able to communicate with Craig Berry through the receptionist and by teams messages. The whole process took about an hour.

“He wouldn’t speak to me on the phone, or direct me to anyone else, which is what I had asked. The receptionist informed me that he had told her I could leave the data in reception, or send an email.”

“A meeting would give the bank the opportunity to see the documents, understand the nature of the content and alert affected customers. I still hope to find a way forward with either the bank and or the regulator to return the data in a secure manner. Speaking to these customers has been a very emotional experience for me.”

She said she would like to receive a formal apology for what has happened and for the way the bank has treated her from CEO Alison Rose. “I would also like her to accept my invite for meeting with the bank to discuss this further,” she added.

“It has taken more than a decade of my life trying to get the bank to do the right thing, which has come with devastating professional and human consequences for me. My mental health has been affected as a result of trying to challenge the bank; my career was destroyed.”

NatWest had not responded to Computer Weekly, but in February it said: “The situation could have been resolved at any point in the past decade through the return of the documentation, as the former employee claimed to have done in 2012. Instead, she chose to retain copies of the documents and she has sought payment and concessions from the bank in exchange for them.”

But the whistleblower said she has never demanded money for the return of the files.

After an investigation into the 2012 breach, the ICO slapped the bank’s wrists over the arrangement and advised the former employee on the safe return of the customer files until 2021, when it ended its involvement in the dispute.

According to the whistleblower, the ICO informed her in July 2021 – nearly a decade after it became involved – that it could do nothing about it because only electronic information was covered by the Data Protection Act 1998, and not paper-based information.

Most of the files she used in her job were returned to the bank, but she retained 1,600 as evidence for any legal proceedings, of which the ICO was aware.

In February 2022, an attempted burglary of her home highlighted the precarious security of the confidential documents.

Following the latest development, Computer Weekly contacted the ICO. A spokesperson said: “The ICO has provided advice on data protection issues to parties involved in an employment dispute dating back to 2009. We are satisfied that the potential risk posed to individuals does not warrant further action, despite there being a change in the law [GDPR] since that time.”