trending Market Intelligence /marketintelligence/en/news-insights/trending/bj9SCtWLgGQttbMwFO52sQ2 content esgSubNav
In This List

Report: RBS did not inform customers that former Natwest banker has their data

Podcast

Street Talk Episode 87

Blog

A New Dawn for European Bank M&A Top 5 Trends

Blog

Insight Weekly: US banks' loan growth; record share buybacks; utility M&A outlook

Blog

Banking Essentials Newsletter 2021: December Edition


Report: RBS did not inform customers that former Natwest banker has their data

Royal Bank of Scotland Group PLC has not informed some 1,600 affected customers that their highly sensitive personal data had been in the possession of a former employee of unit National Westminster Bank PLC since her dismissal in June 2009, The Times reported, citing the former employee who spoke on condition of anonymity.

The former worker claims she was fired because of voicing concerns about the security of her work-from-home arrangement and has been negotiating returning the data to RBS but the two parties have yet to reach an agreement, according to the Aug. 19 report. The lender did not share the breach with its customers because it does not know the full scope of the information held by the former Natwest banker at her home. Furthermore, the bank considers the data historical and does not intend to take legal action for its retrieval, the report added.

Based on anonymous examples seen by the newspaper, the data includes banking details, account and transaction histories, personal contact information and credit card details.

The former Natwest banker told The Times that she filed a claim for unfair dismissal without success and alerted the Information Commissioner's Office, which confirmed that there had been a data security breach in the case.

A spokesperson for the regulator said the watchdog had "provided advice on data protection issues to parties involved [in] an employment dispute dating back to 2009" and that it was "satisfied that the potential risk posed to individuals does not warrant further action" despite the implementation in 2018 of the General Data Protection Regulation, under which organizations are required to inform the watchdog of any potential compromise of sensitive data within 72 hours of becoming aware of such incidents, according to the report.