Bank of Ireland fined €463k after data breaches potentially impacted thousands of customers' credit ratings

Between November 9, 2018, and June 27, 2019, the DPC received 22 breach notifications from Bank of Ireland in relation to the “corruption of information” the bank was sending to the Central Credit Register. In total, 19 of these incidents met the definition of “personal data breach” under GDPR.

In some cases, incorrect data was added to a customer’s file to indicate they were “in financial distress” when they weren’t.

When Bank of Ireland initially contacted the DPC about this error, it said one customer was affected.

“It ultimately transpired that approximately 47,000 data subjects were affected by this breach,” the DPC said, adding it took over a year and a half for Bank of Ireland to provide a final number of customers affected by this breach. This included more than 27,000 mortgage accounts.

With the Central Credit Register, people who have received loans can request their credit report to see what information a bank has submitted on their loans, while banks can use credit reports to get a picture of a person’s current lending and credit history.

This information can then be used by a bank to decide whether it should approve a loan application or not.

About 50,000 customers in all were affected by personal data breaches considered by the DPC, but it noted that all of the bank’s customers were affected “in that the failure to have appropriate technical and organisational measures in place could have resulted in any customer (and in some cases ex-customers') personal data being erroneously disclosed to the Central Credit Register”.

'Negligent'

The DPC found some of the infringements from Bank of Ireland were of a “negligent character”.

In relation to one of the breaches, the bank became aware of it almost one year — 335 days — after it began.

“The nature of the breach was sensitive as it related to customers who were previously removed from mortgage accounts,” the DPC said.

“It was incumbent on the bank to have technical and organisational measures in place which would have allowed it detect the breach at an earlier point. 

The failure to have such measures in place could have had negative consequences for the customers in that they could be denied credit on account of an incorrect lending history.” 

The DPC found breaches of Article 33 of GDPR, failing to disclose personal data breaches to DPC without undue delay, Article 34, which concerned a failure from Bank of Ireland to inform those affected about the breach and Article 32(1) by failing to ensure a level of security in transferring data to the Central Credit Register.

Referring to the fine dished out to Bank of Ireland as the “canary in the coalmine”, Daragh O’Brien from data quality and strategy consultancy Castlebridge said the failings identified here “may be indicative of a wider problem” for Irish companies.

“The fine reflects the seriousness of what happened, and it’s definitely something the DPC will have considered,” he said. 

It does highlight that organisations need to think of the impact on individuals when mistakes happen.” 

He said that companies, in particular financial institutions, needed to pay attention to the quality of their data. This is especially the case when disclosing it to a third party, such as Bank of Ireland giving customers’ data to the Central Credit Register in this case.

Mr O’Brien said it was important that companies put in place measures to prevent this from happening rather than having to “fight fires” and react when it does.

In a statement, the bank said: "Bank of Ireland fully acknowledges, and sincerely apologises for, these breaches. The Bank takes its regulatory and compliance obligations very seriously and regrets that it has fallen short in this way.

"The Bank has notified all impacted customers. It has rectified the inaccurate information reported to the CCR in all but 20 cases which will be corrected shortly. It has also taken measures to improve its ongoing CCR reporting, including error management procedures and a process that enables faster correction of errors."