RBS data breach row: Whistleblower claims she has highly sensitive details of 1,600 customers bank WON’T take back
Royal Bank of Scotland is embroiled in a row with a former employee over customer data that raises serious issues over security issues when working from home.
An ex-staff member claims the bank is refusing to take back the highly sensitive details of more than 1,600 customers, which she says was left with her more than a decade ago.
RBS, which this week changed its name to Natwest, allowed the staff member to take away customer files so she could work from home, selling mortgages and other loans to existing customers. The episode was later branded a data breach by regulator the Information Commissioner’s Office (ICO).
Receiving end: Boss Alison Rose is trying to clean up the bank’s tainted image
Despite that, the bank has failed to alert customers affected.
The former employee is particularly concerned that similar data breaches could occur more frequently now that most employees are working from home due to the coronavirus pandemic. This could happen if it has failed to make arrangements for the safe storage of data in the homes of its staff. Around 50,000 RBS staff have been told to work from home until 2021 despite government guidance urging people back to their offices.
The 1,600 customers are still completely unaware that their personal details – including account and sort codes, credit card details, direct debits and addresses – have been sitting in a cardboard box in the former employee’s house for over a decade. The woman, who was dismissed by the bank in 2009 and has asked to remain anonymous, says she has been trying to return the data ever since she left.
But she has been unable to reach an agreement with the bank over a secure handover, and the personal details are still sitting in her home.
In its most recent correspondence with her, the bank said it considered the matter ‘closed’.
She passed some, but not all, of the documents to the ICO in 2012. She says she retained some as evidence, with a view to reporting RBS to City watchdogs.
Before she hands over the remaining documents, she wants the bank to sign a statement that it has received and taken responsibility of the thousands of pages of data.
But the bank has signalled it will only do this if she signs a clause stating that the bank had no idea what documents were provided to her and are held by her. She claims this is misleading, and feels unable to sign it.
She says she has shown senior officials at the bank extracts of the documentation she held. The Information Commissioner’s Office (ICO) has also stated in correspondence that it handed RBS some of the data during the course of an investigation several years ago.
If the bank admits that it knew the nature of the data, Natwest may have to explain to angry customers why it did not tell them earlier that the security of their personal details had been compromised. Data protection rules introduced in 2018, but which did not apply at the time, state organisations must ‘inform individuals without undue delay’ when a serious data breach has occurred.
The former employee said: ‘I just want to get this off my chest – I shouldn’t have all this information and I don’t want it.
‘But customers deserve to know what happened, and RBS should have told them about this breach years ago.’
She says that after raising concerns around the security of her working arrangement, she was fired in 2009. She made a claim for unfair dismissal but this failed.
Following an investigation which concluded in 2012, the ICO found that RBS/Natwest had breached the Data Protection Act. It took no further action and closed the case.
Under chief executive Alison Rose – appointed last November – Natwest is attempting to clean up its image which was sullied by its £45.5billion taxpayer bailout in 2008.
A spokesman for RBS maintains the bank does not know what is in the documents.
The bank says that until 2019, it believed all of the documents held by the ex-employee had been returned through the ICO in 2012.
The spokesman added: ‘In 2019, the former employee alleged that she had, in fact, retained additional documentation.
‘The bank continues its attempts to recover this information and has no knowledge of what it might contain.
‘As with the documentation received in 2012, there has been no customer detriment and there are no concerns that it has been shared with any other parties.’