to ask what to do now? The bank have given my details to abusive ex...

[AnchorDownDeepBreath]

I made a complaint to the bank a few months ago that they had allowed an abusive ex-partner to open an account in my name and run up debt. Three weeks later, they were still allowing him to use the account (according to my credit file) and I complained again.

Today I messaged them to ask what was taking so long. They've just called and confirmed that they sent a letter, including all the allegations, to his address. An address that I have never lived at. The letter contains my new mobile number, at least, and possibly my new address.

He was very violent. He hit me when we broke up. I had to get the police involved and be escorted to work and home again for a while, had to work odd hours, he waited for me outside anywhere he thought I might be. I had to go into a refuge for a while and get a new number. It took months for me to feel calm that he didn't know where I was. I was treated for intense PTSD, and situational anxiety.

They knew this. I was explicit about this, and they knew it, and have detailed in the letter that they know they can only use certain contact details for me...

The bank complaints handler has apologised and said they will call back today as soon as possible. He shut down and wouldn't tell me any more.

What do I do now? I don't want to keep running, to live in fear again. It cost a lot to deal with it last time, there's a lot of inconvenience... I can't believe they've messed it up. I'm so scared he'll turn up here.

Sorry I meant how dare they NOT want to pass on the outcome to you etc.^^

You need to find a good lawyer. You could get a huge amount in compensation for this. I heard of another case where someone got millions for similar.

What about the hotel costs because you had to leave your home on police advice?

You need to make it public. Put it all on social media. Your ex knows it's you, so it's not like he's finding anything extra out. And he won't get any info he doesn't already have.

Yep, time to start shouting about this.

Report this to everyone you possibly can, you’re not going to get an appropriate response from Barclays so it’s time to force them

Lawyer up, OP.

Also meant to say: 'minutes. 'reiterated that they'd pay for any evidenced costs for changing my mobile number'

Whoop de doo.

They need to get ready for paying you back for EVERYTHING that THEY have fucked up since this started. Hotels, travel, everything. That's without even thinking about compensation for the personal trauma and disruption.

www.hughjames.com/news/comment/2017/10/will-gdpr-open-floodgates-compensation-claims/#.XJt3vCKeSUk

Post from 2017 stating that the GDPR explicitly says you can claim for "non-material damage" -
"This could include a claim for (but not limited to):
-Distress
-Anxiety
-Reputational damage"

So their line on "maybe we could refund your costs for the mobile phone, if you can prove them" is bollocks.

I've been reading this thread over the last few days but in bits and bobs so might have missed a few posts.

I just did a bit of googling on Barclays and data breaches - which led me to a BBC article about a similar case involving EE and an ex managing to switch the victim's mobile number thereby getting lots of info he shouldn't have... www.bbc.co.uk/news/technology-46896329

I've tried googling to find out more (actions taken, compensation etc) but can't find any. However a Daily Mail article on the same thing hada little more info, including the tweet that was sent to ee but copiesd to BBC Have Your Say which led to the Victoria Derbighshire Show and and further tweets - might be useful to look at to see what she said and how the bbc became involved - might be a way to try to kickstart getting serious help from Barclays.

And speaking of the Daily Mail - how can it justify trawling mumsnet for stories, taking so many that hurt those involved when what they have written becomes public so they miss out on the help and support they should have got from mumsnet - and then ignore this - when their intervention could make a serious and good impact somebody's life, not to mention keep them from serious harm? it's the least they could do!

Even a search on barclays data breach stalker to see if anything came up that was similar brought up an unexpected result...

www.linkedin.com/in/andrew-stalker-44352b17

Apparently the new 'Chief Information Security Officer - Barclays Execution Services at Barclays' is called Mr Stalker... More than slightly disturbing when put together with the fact that he is head of their Execution Services - which I know has a specific banking meaning but gave me a momentary shiver reading it through at first before reality kicked in! Nominative determinism or what

Anyhow, it links to his Linked In page - shown above. Might be another route to contact someone in Barclays who should recognise the seriousness of this and be able to kick it swiftly to the correct people...

OP, I bet they haven't reported the breach to the ICO. Your posts about "human error" strongly suggest they hope they can fob you off.

Time to hit hard. Claim for everything you spent on the extra expenses, the hotel, any security, etc.

If, as a result of this, you find yourself forced to move/change jobs, I would also claim for any costs in relocation. Because of course, you would still be happy in your work at your current home if they hadn't fucked up. All these costs will be peanuts to a company of their size, but they won't like the publicity if the public find out how shabbily you've been treated.

What about hotel costs, maybe house moving costs and the chance you could lose your job over their error. They are seriously deluding themselves if they think changing your phone number is the answer. Get professional help.

Second the lawyer

I was just looking at the organisation section of the IPO site. There it says that 'If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report. You do not need to report every breach to the ICO.'

When you next speak to Barclays, point out that the cause of the breach - human error - is immaterial. The fact that the breach happened is the important fact. As soon as you reported it, they had to consider whether this poses a risk to people - yes it does, as evidenced by the considerable involvement from the police. Also they need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach - well it's actually already caused a significant impact to your right to live peacefully in your own home as you've had to move out, it's causing you problems with your job (not just now but you've also said you're worried in the longer term), potentially could cause problems for your dp when he returns and there could be other issues as time goes on, both in the immediate and long term future. It's also impacted your freedom as you now have super serious security issues that you have to consider as the recipient of the information has already been spotted several times at the address that had been withheld from him previously on the advice of the police. You have legitimate concerns, verified by the police, as to your safety and well-being should your ex find you.

Which means that when they look at the statement When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report. You do not need to report every breach to the ICO it is clear that there is already significant risk to you - they don't even need to consider further risks in the future as there is massive current actual risk so they have to report it within 72 hours - there is no way that they can argue that they didn't know or expect it to be a big risk. That their poor complaint handling didn't pick it up when you first told them about it is their problem, not yours. they are the ones that should be incurring an increased fine because they have sat on this for weeks rather than doing anything about it and actually listening to you. As they say elsewhere, human error is one of the biggest causes of breaches - doesn't mean that it lessens the severity of the breach or the size of the penalty they receive. It's something their internal processes should be picking up to ensure this doesn't happen again.

Wonder if it is worth asking the individuals you deal with if there are any penalties that they are personally liable for when they don't deal with a serious data breach properly or is it just the company that gets fined and how does the company react when they realise that they have just completely ignored protocol and tried to pretend it isn't a relevant breach rather than accepting responsibility and dealing with it rather than accruing the risk of bigger and bigger fines...

OK so I have no idea if there are personal fines or consequences in these instances but it might help to focus their minds!

Thank you all for the comments, I'll re-read them all to make sure they all go in.

I CC'd my complaint handler in to an email to DPO@Barclays. He hasn't replied yet, but I've just had a call from my complaints handler who has said they won't be reopening the incorrect letter as it was human error, but they will close the fraudulent accounts and wipe the debts. No news on whether they'll be cleaning my credit file, and she felt that compensation was unnecessary but there will be more information in the letter they hope to get to me. She has said I am welcome to refer it to the FOS once I have read that.

Solicitor hasn't called back yet, but hopefully soon.

Compensation unnecessary? Seriously? Wow.

You must take this further OP.

And did you tell her than human error is no longer a valid excuse? What did she say to that?

Start tweeting at them. I'm sure we will all be happy to share your tweet around (make a new Twitter account if you want so it doesn't link to anything personal)

Barclays are more concerned about covering their Arse then they are about the risk they have caused you.

I would ask the complaints handler to put their response in writing to you and then you can take it further.

I think you may find the dpo at Barclays May well force them to reopen the case. Human error it may be, but it's a data protection breach nonetheless and they cannot ignore that side and try to fob you off.

Absolutely gobsmacked at Barclays blatant breach of GDPR being covered up- where is the Daily Mail when you need them? Op don’t give up, make sure you continue to get all agencies involved and keep safe. Makes my ex getting hold of my phone records from t mobile during our divorce look minor by comparison and they were good enough to get me a new number, a new phone and put a password on my account as an extra security level for ongoing safety - all within 24 hours! which is more than Barclays have done for you - so cross on your behalf

This is just terrible. I really feel for u OP

Funny how the daily fail jump on the most innocuous threads like 'lent friend thing and she sold it', but give them a chance to actually hold a huge company to account and do some good, and there's no sign of them.

So sorry for you OP. Can’t believe the response from Barclays. I am actually going to switch my bank account from Barclays after Reading this. As they clearly don’t care about their customers. Hope you get a good solicitor and they get this resolved properly for you.

I’m another one reading aghast and considering changing from Barclays.

OP do they know all the steps you’ve had to take as a result of their incompetence? It’s almost like they’re just treating it as a letter gone astray.

Are you able to go home yet? If not and you’re still swapping from one cafe to another...I’d start emailing your complaints handler every time you have to move with an update eg just letting you know I’ve had to move cafes again because I can’t go home as your incompetence has lead to my abusive ex having my home details, just letting you know I can’t go to work because of the above, just letting you know I’m staying in a hotel tonight etc etc - start adding the monetary total it’s cost you, email every hour, on the hour. Be a nuisance, they’re hoping you are going to give up. Don’t.

They’ve utterly and completely messed up and failed spectacularly to address the issue.

It’s ludicrous they’ve dismissed it as human error - there are supposed to be procedures and system in place to pick up human errors before they impact customers!

I'm switching from Barclays too.

The way this has been handled is outrageous.

You are not being given the attention that their mistake has caused.

Evidencing a new phone/cost of calls? What an absolute joke! They have put your entire life in jeopardy with their error.

If this has been escalated and this is his the Senior Exec team have been advised to "handle it" then I am beyond disappointed.

OP my blood is boiling for you. I'm so sorry you're having to go through this.

A PP asked whether individuals would have penalties for breaching gdpr - they won't. Barclays are classed as a data controller and if they outsource customer data to a company who process the data then that company would be known as data processors. If a data processor breached gdpr then they would be liable under their contract with the data controller. Employees processing data are just employees of the controller. I expect beaches due to human error would be dealt with through training and disciplinaries etc.

I hope you are able to find a lawyer. I genuinely think you are dealing with a load of people who have no clue what they're doing or how serious this is. The fines for breaching gdpr are severe and all companies took the preparation or gdpr very seriously.