Bank breaching GDPR and security

[missmousemouth]

My bank has very seriously breached GDPR and security for the second time.

It merged my account with the account of someone else with the same name as me, giving me visibility of all their financial and personal information, including correspondence labelled private and confidential. I could have stolen all her money.

I assume the other customer had visibility of mine but my bank hadn't said.

The first time my bank did this (two years ago and with the sane person) I was told it was human error and it would never happen again. I was awarded £375 in compensation.

I've made a formal complaint and I'm still waiting for an explanation five days later. How do I escalate this further? I think the bank needs investigating.

Make a formal complaint in writing to the bank and then escalate to the IOC if they don't resolve it appropriately.
https://ico.org.uk/for-the-public/how-to-make-a-data-protection-complaint/

give the Financial Ombudsman a call OP and speak to someone (read their website first) you can complain to ICO too but this is not just seeing someone else’s data and them yours it sounds like both of you had access to your newly made “joint account” monies - it’s very serious and even more so because it’s happened twice

I would definitely change bank after this, that’s for sure

www.citizensadvice.org.uk/debt-and-money/banking/complaints-about-banks-and-building-societies/#:~:text=The%20bank%20or%20building%20society%20must%20investigate%20your%20complaint%20and,not%20satisfied%20with%20their%20answer

Banks should have clear regulations and timelines to respond to complaints and if you feel then they have not resolved it to you satisfaction then you can complain to the FCA , but they will only take your complaint on after the regulatory timeline has lapsed from the bank.

There is a formal process to follow before you can take things further with the Financial ombudsman.

The bank should be aiming to contact you within 4 working days with a response, if the complaint can't be resolved there and then, they will investigate further. The bank will have up 8 weeks to reach a resolution.

If after the final resolution letter has been issued, you are still not happy with the response, then you are advised to take up with the ombudsman at that point.

Over two weeks later and not a word from my bank. I was told in a chat they had 8 weeks to respond, but is that acceptable with a breach as serious as the one I outlined?

I've sent follow up communication and tried to escalate it via their online chat only to be told again they've hit 8 weeks.

At the moment I have no idea how seriously my data was breached. No idea how much the other customer has seen abd had access to.

Although yhey have the 8 weeks to reply, usually if you email the CEO etc of the bank being very clear of the error and significance of the DPA breach it will usually get swifter action taken.

Whih bank is it?

Unfortunately they have the right to take their time to respond to the complaint. I'd certainly be changing banks at this point and moving your money out. You should also register with a credit check agency to make sure no identity theft

Have you spoken to them over the phone at all? I work in banking and this would be seen as a Data Protection breach (a pretty bloody serious one at that!) which has to be reported within 24 hours.

Can you still see all this other persons details? That is a major fuck up, I'd be telling them I'm being going to the Financial Ombudsman (FOS) if they cannot resolve my complaint asap. The bank have to pay a fee for every case taken up by FOS so they won't want that.

Starling

@JacobKowalski I requested contact details for a senior data protection person but was given a generic contact. I did send a follow up email telling them that irrespective of how they eventually addressed the issue I would be contacting the Financial Ombudsman. No reply to that email.

@JacobKowalski Who do they have to report the breach to?

@JacobKowalski Sorry for repeated replies. No, I can't see the other customer's details anymore. That was rectified in about a day. After I pointed out I could steal all their money they restricted both our accounts, but didn't lift those restrictions when they resolved the issue. Which left me unable to pay for my groceries, bus fare etc. I was so embarrassed and angry.

As an employee of a bank, a staff member must report any data breaches straight away , within 3 business days of discovering a breach (I think).

Appreciate it is frustrating to have had no formal response yet, however the banks complaints team will have up to 8 weeks to issue their final response letter , regardless of type of complaint it is.

Having been through a complaint with the financial ombudsman recently I found them super efficient and easy to deal with.

However, you have to go through the bank's internal complaint process first and be unsatisfied with the outcome to open a case with the Ombudsman. I would argue that because this has happened before and you have complained, then the ombudsman should take your case right away.

Tell the bank you are going to the Ombudsman. Tell them you are reporting them to the Data Protection people. Also the only thing which got things moving on my case (which wasn't a bank, it was pension related) was going to the press, there are lots of financial journalists out there (Sally Hamilton at the Mail/This is Money, Katie Morley at the Telegraph, Katherine Denham at the Times) any of whom will be interested in your story.

I'm resurrecting this. The bank has finally got back to me. They've offered £200 compensation, which is less than they gave me two years ago when they made the same mistake.

Again, the explanation for the breach was human error. When I queried the lower compensation amount I was told that, unlike two years ago, this because the other customer had not seen my information even though I had seen theirs. This is the first time I've had it confirmed my privacy was actually breached two years ago which irritates me.

The £200 compensation also feels insulting given it's a repeated offence - it also feels like they're 'less sorry' or even not sorry at all.

I am intensely irritated by this. Is this response from the bank seem reasonable or fair to you? I'm now thinking of taking it up with the Ombudsman but wondering if it's worth it.

Take it to the ombudsman and the ICO.

My dad had a loan with NatWest. NatWest alleged it became repayable, and demanded it all. My dad refuted this and asked for a copy of the loan agreement on their end.

NatWest ended up sending my dad the agreement and another random person's mortgage deeds and financial details. My dad raised a complaint and the entire loan was written off and compensation of about £1500 given.

This is unforgivable and £200 isn't enough.

I had this with lloyds bank insurance - so Scottish widows. They kept sending me letters to say about my change of address

it turned out a person with the same name Mike Rafone had a life policy with the same bak and an account

My 10 year old daughter was with me when I went to the bank confused, she pointed out to them that they could use our dates of birth to tell us apart.

They awarded me money as compensation

OP did you want compensation? Id ask for £800 (on the basis that it will cost them thousands if it goes to the IOC and its happened you can't change that) and then change your bank account using a you switch and get a bonus with any bank that is paying a bonus

This will not stop happening

I changed my name - not sue to this, but it stopped happening afterwards

https://ico.org.uk/for-the-public/data-protection-and-journalism/taking-your-case-to-court-and-claiming-compensation/#court1

tell the bank they can pay you X amount or you will take it to court this time, human error is not an excuse as you were assured it wouldn't be repeated and you have allowed them 2 years to find a solution to prevent this human error reaccuring

I wouldn't be satisfied with that response. It's less about the £200 and more worrying that human error has twice resulted in the same issue
You can ask them how they are ensuring this does not happen again

I would take it up with the Ombudsman. They are very easy to deal with, you just fill in an online form and tell them what has happened, give them your account numbers and they have the power to force the banks to release everything they have.

If the Ombudsman thinks you have been treated fairly they will not uphold your complaint and that's the end of it - and you are no worse off than you are now. If they DO uphold your complaint and order the bank to pay more compensation or to make other changes, then the bank has a legal obligation to comply.

Seriously, you have nothing to lose by opening a case.