Data Protection

BOI Fined €463k by DPC Over Breaches that Affected Thousands

By April 6, 2022 No Comments
Freedom of Information Act

Bank of Ireland (BOI) has been fined over €463,000 by the Data Protection Commission (DPC) after it was discovered that the bank had accidentally altered the data of thousands of customers that could have potentially damaged their credit ratings and prevented them getting loans.

22 Breach Notifications

Between November of 2018 and July of 2019, the Commission received 22 breach notifications from the bank in relation to the “corruption of information” that was sent to the Central Credit Register. Out of these 22, a total of 19 met the definition of “personal data breach” under the European Union’s General Data Protection Regulation (GDPR) law, despite the bank stating that only one customer had been affected when it initially contacted the DPC.

“It ultimately transpired that approximately 47,000 data subjects were affected by this breach,” the DPC said, adding that the breaches from Bank of Ireland were of a “negligent character”. The Commission further noted that it took Bank of Ireland over a year and a half to supply the correct figures for customers affected, including more than 27,000 mortgage accounts. It was discovered in some instances that the files of a number of customers had been labelled as being “in financial distress” even though they weren’t.

50,000 Customers Affected

In total, around 50,000 customers were affected by the breaches. However, the DPC noted that that all Bank of Ireland customers were touched by the failure to have “appropriate technical and organisational measures in place”, and that this could have “resulted in any customer (and in some cases ex-customers’) personal data being erroneously disclosed to the Central Credit Register”.

In its findings, the DPC discovered found breaches of Article 33 of GDPR, which is the failure to disclose personal data breaches to DPC without undue delay, Article 34, which concerned a failure from Bank of Ireland to inform those affected about the breach, and Article 32(1) by failing to ensure a level of security in transferring data to the Central Credit Register.

In referring to the €463,000 fine, Daragh O’Brien, from data quality and strategy consultancy Castlebridge, stated that organisations need to exercise greater caution in paying attention to the quality of their data, and to ensure that adequate measures are put in place to prevent this from happening rather than having to “fight fires” and react when it does.

*In contentious business, a solicitor may not calculate fees or other charges as a percentage or proportion of any award or settlement.*

Leave a Reply

Bitnami