In all three incidents, appropriate security protocols were not followed, the DPC said.

The malicious actors were able to change details associated with the accounts and obtain additional account information. As a result, account holders were exposed to an increased risk of additional fraud. The account holders were forced to close their accounts, and, in some cases, suffered financial loss.

As part of the inquiry, the DPC said it assessed the appropriateness of PTSB’s technical and organisational measures for ensuring the security of personal data that it processed through its Open24 Contact Centre. The DPC also assessed whether PTSB notified the DPC of the breaches within the timeframes required by the GDPR.

The watchdog found that PTSB "infringed the principle of integrity and confidentiality" of Article 5 of GDPR by "failing to ensure appropriate security of the personal data related to customer accounts using appropriate technical and organisational measures."

It also ruled that it infringed the 32nd article of GDPR, by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data within the Open24 Contact Centre and infringed Article 33 of GDPR by failing to notify the DPC without undue delay and within 72 hours of becoming aware of the breaches.

In light of these infringements, the DPC has reprimanded PTSB, fining the lender €250,000 for the infringements of Articles 5 and 32 of GDPR, and fined an additional €27,500 for the infringement of Article 33 GDPR.

The DPC will publish the full decision in due course.