A staggering show of arrogance from RBS following the Natwest data breach
Highly sensitive data was left in a former bank employee's home for more than a decade. In a significant and possibly severe data breach, this personal information included the banking details of more than 1,600 Natwest customers.
To make matters worse, in a staggering show of arrogance, the Royal Bank of Scotland - which owns Natwest - has not alerted affected customers to this breach.
According to the Times, the information includes account and sort codes, credit card details and people's account histories, including direct debits, as well as their names, addresses, relationship status, occupation and phone numbers.
RBS hid the Natwest data breach from its customers
Crucially, it appears that NatWest knew about the data breach, but was unable to reach an agreement on the safe return of the information. And - in what looks like a decision to protect its reputation rather than its customers - the bank chose not to disclose the breach. Reportedly because it does not know exactly what information its former worker holds.
The former Natwest employee, who spoke to the Times on the condition of anonymity, was dismissed in June 2009. She believes that this was because she raised concerns about the security of her home working arrangement. She also claims that she has been attempting to return the information to the bank ever since.
The Information Commissioner's Office (ICO) has confirmed there was a data security breach after she alerted them to the issue.
Under the latest data protection rules, organisations must notify the ICO within 72 hours of becoming aware of a personal data breach. However, as this case pre-dates the GDPR, there was no mandatory reporting requirement.
How can you tell if your data has been put at risk by RBS/Natwest?
You have the right to find out if and how an organisation is using and storing your personal data. To exercise this right, all you have to do is ask for a copy of this data. This is called making a subject access request (SAR).
You can make a subject access request at any time. And, if you are a NatWest customer worried about this data breach, you can make SAR to find out if your personal information was involved.
How long does RBS have to respond to a subject access request?
Data protection law requires organisations to respond to a request for data within one calendar month. However, they might need extra time to consider your request and, if so, can take an additional two months to do this. RBS must let you know within one month if it needs more time and why. If the requested information is not provided in the timeframe, you can raise a complaint with the ICO.
Can RBS refuse your subject access request?
RBS can refuse a request if they believe it to be 'manifestly unfounded or excessive'. We do not believe that a SAR in response to this data breach could be described as such. If your request is rejected unjustly, you can raise a complaint with RBS, and if you remain dissatisfied, the ICO.
The ICO isn't meeting the needs of the individual when it comes to data breaches
Commenting on this case, an ICO spokesperson has said that it was "satisfied that the potential risk posed to individuals does not warrant further action, despite there being a change in the law (GDPR) since that time."
However, in our experience, the ICO isn't always meeting the needs of the individual when it comes to data breaches. And we believe that the ICO still requires education on the lasting and full impact of data breaches. Because in many cases, the experience of the individual is being downgraded.
As it stands, the ICO is not coming down hard on organisations that are reporting data breaches and apologising for the violations. This can leave victims of data breaches wondering whether their suffering has even been taken into account.
The ICO exsists to uphold information rights in the interest of the public and manage the complaints process. To do this effectively, it must understand the various psychosocial effects that data breaches can have on individuals.
Not Just Hackers
At Hayes Connor, our experts deal with a significant volume of data breach cases each day. During our work, we see many different types of claims and how data breaches can affect people in different ways. In most cases, data breaches aren't caused by scammers trying to hack big businesses, but by simple human errors. And while these incidents don't make the headlines, for those involved the experience can be devastating.
To help reduce the number of data violations taking place across the UK, we are raising awareness of this issue and educating people and businesses to prevent similar mistakes from happening.
Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.