{"id":36771,"date":"2022-06-22T06:42:00","date_gmt":"2022-06-22T06:42:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/archives\/36771"},"modified":"2022-06-22T06:42:00","modified_gmt":"2022-06-22T06:42:00","slug":"natwest-files-under-whistleblowers-bed-contain-live-customer-data","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=36771","title":{"rendered":"NatWest files under whistleblower\u2019s bed contain live customer data"},"content":{"rendered":"
<\/div>\n

A data breach whistleblower said NatWest files under her bed contain current customer details, contrary to the bank\u2019s claims that it is historic information.<\/span><\/p>\n

The former worker at the Royal Bank of Scotland (RBS), part of NatWest Group, has been in dispute with the bank for more than a decade over the confidential customer data files stored in her home.<\/span><\/p>\n

To test NatWest\u2019s assertion that the customer data is historical, the former staffer, now a registered data controller, claimed she has established that some of the data belongs to current customers.<\/span><\/p>\n

In 2006, the data was sent to the worker\u2019s home as part of a work arrangement \u2013 in breach of data protection rules. The worker was given the opportunity to work from home and, on the bank\u2019s instructions, used customer banking information to help her generate mortgage and loans business. Over three years, she received thousands of paper documents<\/a>, many of which \u2013 about 1,600 \u2013 are still stored in her home.<\/p>\n

When the worker became concerned that the arrangement could breach data protection rules, she put everything in writing to her manager and inadvertently blew the whistle on the bank\u2019s lax data security practices.<\/p>\n

She was advised to obtain a receipt from the bank before handing back the information to protect her own position from possible future litigation.<\/p>\n

The former worker was sacked by the bank in 2009 and has been calling on the bank to collect the files ever since.<\/p>\n

In 2012, the Information Commissioner\u2019s Office (ICO) investigated the case and slapped the bank\u2019s wrist over the arrangement.<\/p>\n

The ICO said while this incident was a \u201clocal\u201d issue at branch level, RBS did not maintain compliance with the seventh data protection principle<\/a> during the period in question: \u201cBoth parties were made aware of this decision. No further action was taken by this office and the case was closed and remains closed.\u201d <\/p>\n

The bank said it wants the files returned, but will not agree to conditions set to protect the former worker from future potential action from the bank\u2019s customers.<\/p>\n

NatWest has claimed the data is <\/span>historic and that there has been no customer detriment.<\/p>\n

In 2019, then CEO at RBS, Ross McEwan, emailed an MP looking into the case and stated: \u201cTo clarify the bank\u2019s position with respect to the return of the documents, the bank\u2019s interest does not lie in the documents themselves, which are historic and very likely to be obsolete.\u201d<\/p>\n

The bank told Computer Weekly that it does not believe what it describes as \u201chistorical documentation\u201d poses any risk to customers. <\/p>\n

But the whistleblower said she has established that some of the data files relate to existing customers and has informed the bank and the ICO.<\/p>\n

\u201cI have put to the test the bank\u2019s assertion that this data is historical and that it poses no risk to customers, and I have established that some of the data is live\/existing customers. I immediately informed the bank and the ICO of this,\u201d the former RBS worker told Computer Weekly.<\/p>\n

The ICO has worked with both parties since 2012 for the safe return of the files, but negotiations failed and the ICO ended its involvement in July 2021<\/a>.<\/p>\n

Computer Weekly asked NatWest why it believes the information is historical, despite having no record of the data. \u201cWe have nothing further to add to our background and statement,\u201d it said.<\/p>\n

The statement the bank referred to, which it has used before, does not address the question put to it. It said: \u201cThis former employee was dismissed in 2009 for gross misconduct as a result of her repeated refusal to return customer information. There has been no customer detriment and the bank does not believe that this historical documentation poses any risk to customers. <\/p>\n

\u201cThe situation could have been resolved at any point in the past decade through the return of the documentation, as the former employee claimed to have done in 2012. Instead, she has sought payment and concessions from the bank in exchange for the documents.\u201d<\/p>\n

The former worker vehemently denies this. \u201cNatWest accused me of demanding money in exchange for the documents. This is not true. All I have ever asked from the bank is that they provide me with an adequate receipt in exchange for return of the documents, which I have carefully looked after for 14 years, that offers me peace of mind,\u201d she said.<\/p>\n

\u201cI need to know that there will be no repercussions, from what I was being asked to do by the bank during my employment, or once I give the documents back. The bank has not exactly acted fairly over the last 14 years.\u201d<\/p>\n

As part of the ICO investigation in 2012, the former worker handed over thousands of files to the regulator, which were subsequently returned to NatWest. However, she retained a box containing the 1,600 customer files to give her evidence for any legal proceedings, of which the ICO was made aware.<\/p>\n

In February this year, an attempted burglary<\/a> of her home highlighted the precarious security of the confidential documents.<\/p>\n

Computer Weekly asked the ICO whether its stance would change if the data was live data, belonging to current customers.<\/p>\n

An ICO spokesperson said: \u201cThe ICO has provided advice on data protection issues to parties involved in an employment dispute dating back to 2009. We are satisfied that the potential risk posed to individuals does not warrant further action, despite there being a change in the law [GDPR] since that time.\u201d<\/p>\n

In her last correspondence with the ICO, the former employee was told by its director of legal services, James Moss, to contact the bank.<\/p>\n

She has written to NatWest seven times since the beginning of March, with no response since Craig Berry, head of litigation and investigations at NatWest, told her: \u201cYour ongoing briefing of journalists is not assisting in any regard.\u201d<\/p>\n

The former worker told Computer Weekly: \u201cIt has taken more than a decade of my life, trying to get the bank to do the right thing. This has come with devastating professional and human consequences for me. My mental health has been affected as a result of trying to challenge the bank; my career was destroyed.\u201d<\/p>\n

She said she identified a serious data breach in 2008, which she believes placed bank customers at risk of being targeted. \u201cI don\u2019t know if the bank managers who were responsible were ever sanctioned for the release of such sensitive information. For reasons that only the bank will know, it decided to dismiss me from service rather than protect me for speaking up,\u201d she said.<\/p>\n

\u201cThe current senior management at NatWest haven\u2019t engaged in any conversations with me and I feel the full force of responsibility to protect this data. I don\u2019t want the bank to come after me, I want the bank to help resolve a situation that it created.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"

A data breach whistleblower said NatWest files under her bed contain current customer details, contrary to the bank\u2019s claims that it is historic information. The former worker at the Royal Bank of Scotland (RBS), part of NatWest Group, has been in dispute with the bank for more than a decade over the confidential customer data […]<\/p>\n","protected":false},"author":1,"featured_media":36772,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-36771","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36771","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=36771"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36771\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/36772"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=36771"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=36771"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=36771"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}