Woes continue as TSB error letter to customer ‘may have broken’ new GDPR data protection rules
Some TSB customers receiving letters acknowledging a complaint over the recent IT meltdown have also been sent other customers’ details.
Letters from the bank showed the name, address and reference number of somebody else. The bank has apologised for the errors, but one MP has suggested that the error could breach new data protection rules.
Treasury Committee member John Mann said: “There is a danger action could be taken against the bank.”
TSB has been battling to resolve issues with various services since an IT switchover at the end of April.
It has had teams “working around the clock” to fix the issues, which began after the migration of data on TSB’s five million customers from former owner Lloyds’ IT system to a new one managed by current owner Sabadell.
Problems remain for some – particularly business account holders – who are trying to make payments or access online information. The bank’s chief executive, Paul Pester, will appear before MPs on the Treasury Committee for a second time on Wednesday.
Letters acknowledging complaints about the technological meltdown at the bank have been sent out to customers, but within a number of those mail-outs a further letter had been included.
Isabella Morrison-Shand, of Inverness, received one and told BBC 5 live’s Wake Up To Money programme: “When I looked at the second page I discovered that it had a reference number, name and address of somebody that wasn’t me.
“If I was in any way shady, I could contact them and say that I was from TSB and perhaps trick them into discussing things. I have no confidence in TSB at all of controlling their usage of my data and keeping it safe and secure.”
A spokesperson for the bank said: “We are aware that there has been issue with a recent acknowledgement mailing. We are working with our third party supplier to understand the root cause of the error and we’d like to apologise to anyone that may be impacted.”
The Information Commissioner’s Office, which polices data protection rules, said it was “continuing to make enquiries in relation to TSB and we are aware of ongoing issues. Customers who are concerned about their personal data can contact us”.
Mr Mann, a member of the Treasury Committee, which is investigating the TSB saga, told 5 live: “They have broken the law. Even a small or minor breach of the law when it comes to data protection, is very, very important.”
He added banks needed to adhere to the highest standards on GDPR (General Data Protection Regulation).
“The Information Commissioner is not going to be impressed and will want to know exactly what’s been going on. There is a danger action could be taken against the bank,” he said.
Data protection expert Ardi Kolah said it was worrying that the bank was not ready for the new legislation.
Mr Kolah, the director of the GDPR Programme at Henley Business School and author of the GDPR Handbook, added it was “interesting” that the banking watchdog had not commented on the situation.
“One of the things the FCA has been doing is ringing round and checking and making sure the market works. This is quite clearly not how it should be working”.
Mr Kolah also added the bank’s problems could potentially cause a lot of damage.
“If a bank is seen to be a bit wobbly, all the criminals out there go ‘this is an opportunity to go in there and steal people’s data’.”
Meanwhile, fraudsters appear to be taking advantage of the disruption at TSB.
Warnings have been issued about phishing scams where customers have been contacted by text in an attempt to get them to divulge their account details.
Elsewhere, “sim swapping” – in which fraudsters take over someone’s mobile phone so they can get an authorisation code from a bank – has been used. Ronnie, a merchant seaman from Scotland, told BBC Radio 4’s Money Box programme he had £13,000 taken from his account in this way.