Natwest Data Breach

natwestissue

Hi all,
a couple of years ago I moved my mortgage to Natwest.  A few weeks ago I logged into their website to check the status of my mortgage, and look at making an overpayment.

Imagine how surprised I was to find out that after paying eight years worth of mortgage that I owed more money than I did eight ago.  Expect, that I don't, I was looking at someone else's mortgage.  Whilst I did have to suffer the near heart attack of seeing that, I'm just grateful that I did spot it, and didn't just make the overpayment.

I raised the issue with Natwest, but for me, their response hasn't been good enough.  They said sorry, sent me some booze and asked me to delete the evidence, however, they closed my complaint even tho I'd specifically said I wouldn't close the complaint until hearing back from their IT department about how it happened.  I also made a subject access request with my original complaint, so I could be sure all my data is correct (as I am unable to check my mortgage on their website).  They ignored my SAR, and only acknowledge it when I contacted them again about them closing my complaint before it had been resolved.

My issue is, I now feel very unsafe having my mortgage with Natwest, and want to swap to someone else, however, I believe I'm still within the introductory rate period (again, I cannot check), so would have to pay an early repayment fee, which I think under the circumstances would be unfair.  Is there any way I can avoid this?

[Deleted User]

Not unless they're feeling extraordinarily generous.

On your other points, a company will never tell a random member of the public how a data breach occurred, for obvious reasons. And they didn't ask you to delete the evidence, but to delete data that you shouldn't have had, as they are obliged to do. It's a very different emphasis on a similar request.

Notwithstanding the original error and delayed SAR response, they've handled it well.

ACG

Mistakes happen, it is unfortunate but it is life. I bet nobody can say they have never made a mistake. Pick any mainstream lender and I would put money on them having a data protection breach. I have worked for 2 banks and an insurance company and I know all 3 of them have breached data protection laws - not intentionally. 

You did the right thing by informing them. 
They did the right thing by acknowledging it and asking you to remove any evidence. They will have also told the customer and also the ICO. 

As it stands there is no evidence your information has been compromised and they would have had to inform you if they knew it had been. 

natwestissue

Deleted_User said:

Notwithstanding the original error and delayed SAR response, they've handled it well.

I beg to differ, if I'd received the wrong letter in the post because someone has put it in the wrong envelope then yeah, sorry it will never happen again.

When you log in and see someone else's details because their API is spitting out the wrong data, then handling it well would be stopping it from happening, not closing the complaint with the issue still live.  If they fixed the issue I could log in, check my existing balance, check if I'm still in the introductory period and sort out a switch without issue, but as I'm unable to access my mortgage then to me they have handled this very badly.

ACG

Santander had a massive IT issue some years back. TSB had the same a couple of years ago after the split from Halifax. 
Those are the ones that make it to the news where they affect everyone. 

I have a credit card with a company. I no longer have the card and I no longer live at the address they have on the system. They wont allow me to change the address without going into branch or writing them a letter. I asked them to stop sending out any post as it is going to someone else. They refused and they are knowingly sending my statements to the person who bought my house. 

OceanSound

ACG said:

Mistakes happen, it is unfortunate but it is life. I bet nobody can say they have never made a mistake. Pick any mainstream lender and I would put money on them having a data protection breach. I have worked for 2 banks and an insurance company and I know all 3 of them have breached data protection laws - not intentionally. 

You did the right thing by informing them. 
They did the right thing by acknowledging it and asking you to remove any evidence. They will have also told the customer and also the ICO. 

As it stands there is no evidence your information has been compromised and they would have had to inform you if they knew it had been. 

mistakes as in human error are inevitable. However, we are not talking about human error here. It's a system error.

banks and other financial institutions have stringent measures in place to reduce (in case of human error) and eliminate system errors (believe it or not there are banks that go for years or never have had a data breach)

...They will have also told the customer and also the ICO. ...

'Will have' but not all do. I've had Revolut send me an email intended for another customer. It had his name, phone number, nature of the complaint etc... Revolut did contact me and say the email was intended for another customer and to delete it. 

I put in a Freedom of information request to the ICO to ask data breaches reported by Revolut. ICO responded saying no breaches have been reported by Revolut. So, not all are reported to the ICO.

JonMitchell

natwestissue said:

Hi all,
a couple of years ago I moved my mortgage to Natwest.  A few weeks ago I logged into their website to check the status of my mortgage, and look at making an overpayment.

Imagine how surprised I was to find out that after paying eight years worth of mortgage that I owed more money than I did eight ago.  Expect, that I don't, I was looking at someone else's mortgage.  Whilst I did have to suffer the near heart attack of seeing that, I'm just grateful that I did spot it, and didn't just make the overpayment.

I raised the issue with Natwest, but for me, their response hasn't been good enough.  They said sorry, sent me some booze and asked me to delete the evidence, however, they closed my complaint even tho I'd specifically said I wouldn't close the complaint until hearing back from their IT department about how it happened.  I also made a subject access request with my original complaint, so I could be sure all my data is correct (as I am unable to check my mortgage on their website).  They ignored my SAR, and only acknowledge it when I contacted them again about them closing my complaint before it had been resolved.

My issue is, I now feel very unsafe having my mortgage with Natwest, and want to swap to someone else, however, I believe I'm still within the introductory rate period (again, I cannot check), so would have to pay an early repayment fee, which I think under the circumstances would be unfair.  Is there any way I can avoid this?

Pardon me, under what circumstance would be unfair and what are you trying to achieve? To switch a different mortgage product/lender because of this IT mixed up by Natwest - which it rather absurd to raise any case. Natwest followed the procedure of rectifying their error.

If you are still concern and not happy with their response, bring it to the Financial Ombudsman. They may look into this for you further but am sure they will not side with your intention of wanting to change to a new deal because of this error.

ACG

I would love to know which banks do not make breach data protection because I have worked for 2 and one of my best mates works for another and I know all 3 of them have breached data protection laws. It is nigh on impossible for them to not have. Add in my credit card comment above and that is a fourth bank. 

For me, it still stands. They made a mistake, you can not use that to get out of the contract you signed up for, one does not negate the other. Even consumer rights are not on your side, if I buy something faulty, I have to give the retailer the opportunity to put it right in the first instance. The bank can not do anything more than apologise and ask you to do the right thing. If they allow you to leave, it would be a goodwill gesture and not because you have any rights (in my opinion). 

dunstonh

I put in a Freedom of information request to the ICO to ask data breaches reported by Revolut. ICO responded saying no breaches have been reported by Revolut. So, not all are reported to the ICO.

Minor breaches do not need to be reported to the ICO.  The breach the OP had was minor. 


Note for others:  Oceansound bumped the thread, which is from March.  The OP never returned and was last active

22 April at 11:26AM

OceanSound

dunstonh said:

I put in a Freedom of information request to the ICO to ask data breaches reported by Revolut. ICO responded saying no breaches have been reported by Revolut. So, not all are reported to the ICO.

Minor breaches do not need to be reported to the ICO.  The breach the OP had was minor. 


Note for others:  Oceansound bumped the thread, which is from March.  The OP never returned and was last active

22 April at 11:26AM

You may want to have a look at: 

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/#:~:text=You notify the ICO within,investigation within a few days.

...

• If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.

....

Revolut did inform the affected individual. If it was not high risk they did not have to inform the individual.

Although organisations do not need to report EVERY breach, they do need to report those that pose a risk to an individual:

https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach-assessment/

In this case, it did - that's how come they informed the individual at risk.

OceanSound

ACG said:

I would love to know which banks do not make breach data protection because I have worked for 2 and one of my best mates works for another and I know all 3 of them have breached data protection laws. It is nigh on impossible for them to not have. Add in my credit card comment above and that is a fourth bank. 

For me, it still stands. They made a mistake, you can not use that to get out of the contract you signed up for, one does not negate the other. Even consumer rights are not on your side, if I buy something faulty, I have to give the retailer the opportunity to put it right in the first instance. The bank can not do anything more than apologise and ask you to do the right thing. If they allow you to leave, it would be a goodwill gesture and not because you have any rights (in my opinion). 

If, going by what you say'..They will have also told the customer and also the ICO.', we look at data breaches for revolut (although I must point out they are not a 'bank' - before the 'revolut - they are not a bank' brigade come out here in full force) in the period Jan 2019- Jan 2021, ICO has not received ANY reports: 

https://www.whatdotheyknow.com/request/revolut_ltd_data_breaches_report

When you say you've worked in 2 banks and one of your best mates work for one that's not really casting the net wide, is it?
It's just a bubble.

You could rebutt and tell me what another poster has said, that is all of revolut's breaches in this period may have been 'minor'. Hard to swallow. Anyway, revolut didn't report the breach I was talking about earlier, that confirms that they are not reporting breaches that need to reported!

BTW, do you have any evidence that the likes of monese and Chip have had breaches the like of what the OP experienced?