The Data Protection Commission (DPC) in Ireland, which enforces compliance with the EU’s General Data Protection Regulation (GDPR), has fined Bank of Ireland €463,000 ($503,000) over a series of data breaches that occurred between November 2018 and June 2019 that resulted in impermissible disclosures of the personal data of its customers. More than 50,000 customers were affected, and the DPC also found Bank of Ireland had failed to promptly notify individuals about the data breaches.
The DPC was notified about 22 data breaches by Bank of Ireland between 9 November 2018 and 27 June 2019. The DPC determined that 19 of those incidents met the criteria of personal data breaches under the GDPR, the most extensive of which affected around 47,000 of its customers. The incident caused the corruption of the data feed to the Central Credit Register (CCR), which resulted in incorrect data being fed into customers’ credit histories, which in some cases indicated the customers were experiencing financial distress when that was not the case. Another breach, which affected 236 customers, resulted in the inaccurate reporting of credit card information to the CCR.
In the case of the latter, customers could have been notified about the incident in June yet did not receive notifications about the issue until November 2019. Under the GDPR, individuals affected by data breaches must be notified without undue delay. There were delays in issuing notifications about several other personal data breaches.
In addition to the financial penalty, Bank of Ireland has been ordered to update its policies and procedures to ensure compliance with the data processing and breach reporting requirements of the GDPR. Bank of Ireland issued a statement apologizing for the data breaches and notifications and has confirmed that all customers affected by the breaches have now been notified and that the inaccurate information reported to the CCR has been corrected aside from the data of 20 customers, which will be corrected shortly. Bank Of Ireland also confirmed that processes have been updated to improve CCR reporting and new procedures have been implemented to improve error management and the speed at which errors are corrected in the future.