A former information technology manager has filed a whistleblower lawsuit alleging a major security breach at Deutsche Bank’s Manhattan headquarters, claiming a fellow IT contractor repeatedly brought his girlfriend – an unauthorized Chinese national with computer expertise – into the bank’s most sensitive tech rooms.
The lawsuit further alleges the incident was covered up by both Computacenter, the IT outsourcing company, and Deutsche Bank, resulting in the whistleblower’s termination.
According to James Papa, who served as Service Delivery Manager for Computacenter (CC) at Deutsche Bank’s 1 Columbus Circle headquarters, security protocols were egregiously violated over several weeks in spring 2023.
.png
)
In his complaint filed in New York State Supreme Court, Papa alleges that a subordinate Computacenter employee admitted to bringing his girlfriend, later identified as “Jenny,” into restricted technology rooms that house Deutsche Bank’s confidential client and transactional data – all with the acquiescence of the bank’s own security staff.
Papa states that “Jenny,” not a bank or Computacenter employee, accessed headquarters and the tech rooms on multiple occasions, always when Papa was offsite.
She was reportedly observed using a Computacenter-issued laptop plugged into Deutsche Bank’s secure network.
Later, Papa learned that Jenny was a Chinese citizen with significant IT training, and that she and the employee traveled to China together shortly after the incidents.
Upon discovering the breach, Papa promptly reported it up Computacenter’s chain of command.
However, instead of launching a transparent investigation, he alleges that both Computacenter and Deutsche Bank attempted to cover up the security incident to protect their multi-million dollar contract and reputations.
Papa claims that his whistleblower complaint to company leadership and bank management triggered an aggressive internal interrogation and, ultimately, his termination on July 31, 2023.
The lawsuit further alleges that neither company reported the serious breach to law enforcement, regulators, or the public, despite Deutsche Bank’s obligations as a public company subject to SEC oversight.
No disciplinary action was taken against the employee or his girlfriend; Papa himself was the only individual dismissed.
Papa is suing for whistleblower retaliation, negligence, tortious interference, and conspiracy, seeking compensatory and punitive damages totaling over $20 million.
Both Computacenter and Deutsche Bank have yet to comment publicly on the lawsuit.
The case spotlights the cybersecurity risks faced by financial institutions relying on third-party IT contractors, and raises pressing questions about internal controls, regulatory disclosure, and whistleblower protections in the banking sector.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
 at Deutsche Bank’s 1 Columbus Circle headquarters, security protocols were egregiously violated over several weeks in spring 2023.){kind=link}