A NatWest customer has praised a whistleblower for informing him that his personal data had been breached, describing the bank’s handling of the issue as “disgusting”.
In the same way another former customer who contacted Computer Weekly earlier, the second NatWest customer to make contact with Computer Weekly was also offered £200 compensation by the bank.
As revealed by Computer Weekly two years ago, a former administration officer had worked at the bank for 10 years when she began to be sent documents to keep at her home as part of a remote working agreement between 2006 and 2009. Her job was to contact customers using the data to generate mortgage business for the bank.
When the former worker realised that the HR department was not aware of her working arrangement, she contacted an advice line within the bank and explained her concerns about the information stored in her home. She was asked to put everything in writing to her manager, which she did, inadvertently blowing the whistle on the lax data security practices.
After going through the bank’s grievances procedure, she was dismissed in May 2009 for not returning the documentation. The official reason for her dismissal was gross misconduct and “flagrant disobedience following a reasonable instruction from a more senior employee”. An employment tribunal later upheld the decision.
In a 2012 investigation, the Information Commissioner’s Office (ICO) found the bank had failed to comply with data protection rules when permitting home working to the branch worker, but no further action was taken.
After the ICO investigation, most of the files the former NatWest employee used in her job were returned to the bank through the ICO, but she retained 1,600 as evidence for any legal proceedings, of which the ICO was aware. The whistleblower said she was advised by the Financial Services Authority in 2012 to get a receipt from the bank before handing back the information, to protect her own position against future possible litigation.
Customers shocked at breach
She has been in negotiations with the bank for 14 years, attempting to return the documents. She wants guarantees that she will face no repercussions if any of the affected customers’ data is misused. With stalemate in the dispute, she contacted the bank and the ICO last month to inform them that she intended to begin contacting the people affected by the breach.
The whistleblower has so far contacted 30 of the 1,600 people whose data she holds, informing them about the situation and offering to initiate the safe return of their confidential data. She said they were very worried about the breach and she advised them to contact the bank and the ICO. She said she would not contact any more people because of the stress it is causing her, and the time and money it is costing.
The latest NatWest customer to contact Computer Weekly, who has had an account with the bank for 30 years, said after the initial shock at hearing his data was in the home of a former bank worker, he now wants answers from the bank.
“When it all first blew up, when the whistleblower phoned me, it was a bit of a shock because nobody at the bank had even contacted us,” he said. “I made an appointment, and we went into the branch because we were very concerned about this, but when we walked back out, we were none the wiser,” he added.
“The bank did apologise that the whistleblower has the documents, but they were a little bit blasé about it really. The manager we spoke to appeared a little bit uneasy that we had contacted him. He knew about it but was not prepared to answer any of our questions,” he said.
“All the bank was prepared to say was that nobody could access any of our money or open an account in our name. This made it a little bit easier from our point of view, but my biggest concern was that nobody from the bank even bothered to contact me and the other 1,600 people affected. We have had one hell of a job trying to get in contact with the bank about this.”
He said it was disgusting and he felt let down by the bank: “We have come close to closing our accounts and going somewhere else, but it is not easy to change everything.
“I cannot praise the whistleblower enough. It has taken a hell of a lot of guts for her to do what she has done.”
The customer received a letter from the bank that claimed the whistleblower had refused to return the information, which she has denied.
In the letter, a NatWest employee wrote: “I recognise receiving a call from someone who has your personal data will have been very concerning and you are understandably distressed about this. I can confirm that your information was not provided to anyone outside of the bank. It was originally provided to a then bank employee to carry out their role from home.
“However, when asked to return the documents, they refused. The individual did return certain customer documentation in 2012 and we believed the matter to have been resolved. Unfortunately, in 2019, we were made aware by the individual that they had made copies of some or all of the documentation, which remained in their possession.”
The whistleblower denied making any copies of the documents and said she has never refused to return them.
The NatWest letter to the customer continued: “We take the security of our customers’ personal data very seriously and our staff should not retain any customer information without a business need to do so. What has happened is clearly unacceptable and the bank has, over a significant period of time, attempted to recover the information from the person who is in possession of it, through the branch or by collecting it from the person.
“Unfortunately, we have been unsuccessful as the individual continues to seek a settlement agreement involving payment from the bank and an uncapped indemnity in relation to any claims against them. In circumstances where a former employee has refused to return confidential customer data, it would not be appropriate to make a payment to them.”
The whistleblower said she has never asked for payment, but indemnity is important to protect her against potential legal action in the future. She has been attempting to get NatWest to take back the 1,600 paper-based customer files in return for a guarantee in writing that if any of the data is misused there will be no repercussions on her, which she said the bank has given verbally but not in writing. She also wants an apology from the bank for “the nightmare” it has caused her.
The bank has so far said it would provide a signed and dated receipt for the documents, but the former worker told Computer Weekly that a receipt alone is not enough and would not offer peace of mind that the bank would not implicate her or her family in any future investigation relating to these customers.
NatWest told the customer that there had been no bank error. The customer said he wants to know why the bank didn’t take the customer files back if what it says about the whistleblower is true. He has emailed the ICO, but has not received a reply. He has also been in contact with his local MP.
He said he wants answers from the bank. “I didn’t even know about this and if it takes another 10 years, I am in no rush. I will [wait] as long as it takes because the bank should be held responsible for this.”
Doing ‘the right thing’
Another person affected by the breach, who contacted Computer Weekly earlier this week after also being contacted by the former NatWest employee, praised the whistleblower for her actions. “She was very helpful and obliging to me and I am very grateful to her,” they said. “I would not have known anything about it if the whistleblower hadn’t told me. It is not very nice to know that someone has got your details. How many more don’t know yet?”
“I am still completely mystified as to the continuing hostile and aggressive attitude of the bank, when all I have ever tried to do is the right thing” NatWest whistleblower
A NatWest spokesperson told Computer Weekly: “… we can confirm that we are speaking with [the former employee]. Our priority, as it has always been, is to retrieve this information and to prevent any further distress to our customers. As we have previously stated, we were under the impression that all of this information was returned to us in 2012, via the ICO.
“There was no concern that the information had been shared with any other parties. Consequently, the bank did not notify customers. Our overriding concern was – and continues to be – the recovery of the documents.”
The bank spokesperson added: “The situation could have been resolved at any point in the past decade through the return of the documentation. Instead, the former employee decided to retain copies of the documents and continues to seek payment and other concessions from the bank in exchange for the documents.”
The whistleblower told Computer Weekly that when she contacted the customers it was not to inform them of what the bank had done, as such, but to inform them their data had been left in her home for 14 years and that she needed to make arrangements to have it returned safely to them.
“All I have ever wanted is to negotiate a receipted return of the documents to the bank in such a way that I did not leave myself unprotected. I cannot continue having these documents in my possession and having sole responsibility of protecting them because it has taken over my life. Deciding to contact a few of these customers was not a decision I took lightly.”
She said the bank was made aware in January 2023 that she would start making arrangements, as a data controller, to return the files to the data subjects because it was evident from a call she had with NatWest’s head of litigation and investigations, Craig Berry, in January that these documents were going to be left with her indefinitely if she didn’t sign what the bank demanded.
“I have always believed this was and still is a very serious breach that affects people’s lives. The bank is unable to reassure me that had anyone else been provided with the sensitive customer data as I had, they would have safeguarded this information in the way that I have. This continues to have a major detrimental impact on my life,” she said.
“I informed the former NatWest CEO Alison Rose and chairman Howard Davies by email on 30 January this year that if the bank had decided to leave this documentation with me indefinitely, I would exercise my right as a data controller and look to return the data safely to the data subjects. The bank and the ICO didn’t reply to my email.
“I am still completely mystified as to the continuing hostile and aggressive attitude of the bank, when all I have ever tried to do is the right thing.”