Attempted burglary exposes risk of NatWest customer data in former worker’s home

A data breach whistleblower and former NatWest worker has called for the bank to collect sensitive customer files from her home as a matter of urgency, after an attempted burglary took place.

The attempted break-in happened last week at the former bank employee’s home, where the 1,600 paper-based customer files are stored in a box under her bed. The previous week, a neighbour’s home was burgled.

For over a decade, the former Royal Bank of Scotland worker has been calling on the bank, now NatWest, to collect the files, which were sent to her home as part of her work arrangement, in breach of data protection rules.

In 2012, after an investigation, the Information Commissioner’s Office (ICO) slapped the bank’s wrist over the arrangement.

The ICO said at the time: “While this incident was a ‘local’ issue at branch level, RBS did not maintain compliance with the seventh data protection principle during the period in question. Both parties were made aware of this decision. No further action was taken by this office and the case was closed and remains closed.” 

The ICO worked with all parties for the safe return of the documents and everything within an agreement it negotiated was agreed, apart from the bank indemnifying the former worker against future claims related to storing the information in her home. The ICO ended its involvement in July last year.

NatWest agreed to issue a receipt for the documents, but did not agree to indemnify the former employee. A deadline to sign an agreement for the safe return of the sensitive banking details of former and current NatWest Group customers passed without agreement in October.

But the former worker, who is now a registered data controller, recently made a compromise with the bank and told it she would waive the demand for indemnity in return for a written apology.

The whistleblower also wants the bank to provider her with a secure cabinet to store the data until the matter is resolved.

In 2006, the worker was given the opportunity to work from home and, on the bank’s instructions, used customer banking information to help her generate mortgage and loans business.

Over three years, she received a total of 1,600 paper documents to support her in her role to generate mortgage and loans business. The documents are still stored in her home.

When the worker became concerned that the arrangement could breach data protection rules, she contacted an advice line within the bank about the information stored in her home. But after putting everything in writing to her manager, she inadvertently blew the whistle on the bank’s lax data security practices. She was advised to obtain a receipt from the bank before handing back the information to protect her own position from possible future litigation.

The woman was dismissed in 2009 for not returning the documents, with “flagrant disobedience following a reasonable instruction from a more senior employee” given as the official reason. An employment tribunal later upheld the decision.

In a recent email to the whistleblower, Craig Berry, a member of NatWest Group’s legal department, said: “You have sought payment from the bank in settlement and you have said, on many occasions, that you are not prepared to agree to the draft confirmations unless the bank provides you with an uncapped indemnity. In view of that position, we have not seen any need to communicate with you since March 2021 and we have made that very clear to you.

“If, however, you are in fact prepared to hand over the documents without payment and without provision of the uncapped indemnity, then I will personally meet with you in order for you to hand over the documents. If you are not prepared to do that, the correspondence between us must again cease.”

In an email to Berry since, copied to NatWest Group CEO Alison Rose, the former worker agreed to waive the demand for indemnity insurance, which she wanted to protect her from future claims. She wants the bank to collect the documents and give her a formal written apology.

She told Computer Weekly that, contrary to NatWest’s claims, that she has never demanded money. The formal written apology would need to include and acknowledge that she was employed by the bank from 1998 to 2009, she was employed to work from home between 2006 and 2009, and was provided with sensitive confidential customer data to undertake her role.

She would also want the bank to confirm that it had left this data in her possession for 13 years, that it had no concerns that the documentation had been shared with any other parties, and acknowledged that an itemised list had been provided to the bank outlining the information relating to each customer.

Computer Weekly asked NatWest if it is willing to provide the apology and collect the documents. At the time of writing, it had not responded. The ICO told Computer Weekly that this is a matter for the bank to resolve with the individual.

A spokesperson said: “The ICO has provided advice on data protection issues to parties involved in an employment dispute dating back to 2009. We are satisfied that the potential risk posed to individuals does not warrant further action, despite there being a change in the law (General Data Protection Regulation) since that time.”

The attempted burglary heaped more stress on the former worker, who has suffered anxiety and stress-related illness for the last 13 years as a result of being responsible for the confidential information.

She told Computer Weekly: “When the bank dismissed me after 10 years of service, I was devastated. I didn’t get out of my bed for three days. I was left without any money, and found it difficult to find any work for some time because I was unable to get a ‘good reference’ from the bank.

“I was trying to bring up two children and I struggled to find money to get them on the school bus and sometimes to feed them. I still find it difficult to talk about my dismissal and how the bank treated me.  

“I approached the bank in January 2008 because I became very concerned about my role working from home and what I was being asked to do by my bank managers. When I approached the bank to raise my concerns, they should have been protected under the bank’s ‘whistleblowing policy’.

“I didn’t expect them to sack me. I also didn’t expect my bank managers to continue to be employed by the bank. I have spent the last 13 years of my life protecting confidential information relating to its customers because the bank does not want to protect me from a position they placed me under.”