Royal Bank of Scotland Group PLC has not informed some 1,600 affected customers that their highly sensitive personal data had been in the possession of a former employee of unit National Westminster Bank PLC since her dismissal in June 2009, The Times reported, citing the former employee who spoke on condition of anonymity.
The former worker claims she was fired because of voicing concerns about the security of her work-from-home arrangement and has been negotiating returning the data to RBS but the two parties have yet to reach an agreement, according to the Aug. 19 report. The lender did not share the breach with its customers because it does not know the full scope of the information held by the former Natwest banker at her home. Furthermore, the bank considers the data historical and does not intend to take legal action for its retrieval, the report added.
Based on anonymous examples seen by the newspaper, the data includes banking details, account and transaction histories, personal contact information and credit card details.
The former Natwest banker told The Times that she filed a claim for unfair dismissal without success and alerted the Information Commissioner's Office, which confirmed that there had been a data security breach in the case.
A spokesperson for the regulator said the watchdog had "provided advice on data protection issues to parties involved [in] an employment dispute dating back to 2009" and that it was "satisfied that the potential risk posed to individuals does not warrant further action" despite the implementation in 2018 of the General Data Protection Regulation, under which organizations are required to inform the watchdog of any potential compromise of sensitive data within 72 hours of becoming aware of such incidents, according to the report.
