NatWest offers compensation to customer affected by data breach exposed by whistleblower

NatWest has offered compensation to a former customer after he was informed by a whistleblower that his personal information has been compromised for 14 years.

The former customer praised the whistleblower for bringing to his attention the fact that sensitive data about him and around 1,600 others has been insecurely stored in a former bank worker’s home for nearly a decade and a half.

As revealed by Computer Weekly two years ago, a former administration officer at Royal Bank of Scotland, now part of NatWest Group, had worked at the bank for 10 years when she began to be sent documents to keep at her home as part of a remote working agreement between 2006 and 2009. Her job was to contact customers using the data to generate mortgage business for the bank (read more about the dispute below).

She has been in negotiations with the bank for 14 years, attempting to return the documents with guarantees she will face no repercussions if any of the affected customers’ data is misused.  With stalemate in the dispute last month, she contacted the bank and the Information Commissioner’s Office (ICO) to inform them that she will begin contacting the people affected by the breach.

One of the affected customers contacted Computer Weekly. He said he has been in contact with the bank. which has offered him £200 in compensation for the breach that happened 14 years before he was made aware of it “by a whistleblower and not the bank”.

The former customer, who closed his account with NatWest around four years ago, contacted the bank after the whistleblower explained that his data was in her home and why, and gave him advice on what to do.

The bank’s executive response team apologised that he was concerned that he had been subject to a data breach. The bank said it is currently gathering further information and making inquiries to see what happened and how it can help. A bank representative wrote in an email: “My aim is to resolve your complaint to your satisfaction as quickly as possible and if I am unable to do so you may be entitled to refer your complaint to the financial services ombudsman.”

The former customer demanded the bank make contact with the whistleblower and send him a copy of the documentation that has been breached before he can consider the settlement the bank offered, calling for proof that the bank was not in error. 

“In addition, you have stated there has been no bank error, I would therefore like the bank to provide me with the information in relation to an investigation that was carried out by the ICO in relation to this matter,” he told the bank. “I am aware that the whistleblower is more than willing to return the documents to the bank.”

He also asked the bank how it has come to the figure of £200 for compensation.

The former customer praised the whistleblower for her actions, adding: “[She] was very helpful to me in getting in touch, letting me know and advising me. She was very helpful and obliging to me and I am very grateful to her. I would not have known anything about it if the whistleblower hadn’t told me. It is not very nice to know that someone has got your details. How many more don’t know yet?”

The whistleblower has so far contacted 30 people, all of which were thankful that she had informed them about the situation, and offered to initiate the safe return of their confidential data. She said they were also very worried about the breach and she advised them who to contact at the bank, as well as the ICO. She said she will not contact any more of the 1,600 people because of the stress it is causing her, and the time and money it is costing “doing what the bank should be doing”.

NatWest has constantly stated that the data held is not that of current customers data and that there has been no customer detriment, but the whistleblower told Computer Weekly that few customers have said they no longer bank with NatWest.

The former bank worker has been attempting to get the NatWest to take back the  paper-based customer files in return for a guarantee in writing that if any of the data is misused there will be no repercussions on her, which she said the bank has given verbally but not in writing. She also wants an apology from the bank for “the nightmare” it has caused her.

The bank has so far said it would provide a signed and dated receipt for the documents: “NatWest Group confirms that all of the documents in the schedule of material provided by [the former worker] have been received as at the date of delivery.”

But the former worker told Computer Weekly that a receipt alone is not enough and would not offer the peace of mind that the bank would not implicate her or her family in any future investigation relating to these customers.

NatWest had not responded to questions from Computer Weekly at the time of publication.