In some cases, incorrect data was added to a customer’s file to indicate they were “in financial distress”.

When Bank of Ireland was initially contacted by the DPC about the error, it said one customer was affected.

“It ultimately transpired that approximately 47,000 data subjects were affected by this breach,” the DPC said, adding that it took over 18 months for Bank of Ireland to provide a final number for those affected.

In relation to one high-risk instance where 236 people had credit card information inaccurately reported, the DPC said it was “inexplicable” that the bank waited until November or December 2019 to inform the customers when it could have done so the previous June.

Bank of Ireland was ordered to fix the issues with its data processing systems and was rebuked for the length of time it took to inform customers.

While the DPC handed down a fine of €463,000 to the bank, the matter could cost it a lot more than that.

'Indicator of wider problem'

Data Compliance Europe director Simon McGarr said the DPC’s findings could be an early indicator of a wider problem of companies mishandling customer data and he suggested Bank of Ireland could potentially face court action from customers.

The case “goes to the heart of the relationship between a bank and its customers”, Mr McGarr said.

“In terms of Irish precedence, the €463,000 fine is a substantial figure,” he said. “It’s not the final word for the bank either. If individuals were affected by the data breach, they have a right to civil action against the bank.

“If it had a serious effect, a claimant could show a financial loss from this breach. But when I say affected, that could just include the improper disclosure of this data, they don’t have to demonstrate actual financial loss. The GDPR allows for recovery of non-financial loss.”

Sinn Féin finance spokesman Pearse Doherty said he feared this case could be a “sign of deeper problems within the banking sector and how it handles customer data”.

In a statement, Bank of Ireland said it “acknowledges and sincerely apologises” for the breaches identified by the DPC and said that it had taken measures to address the failings identified.

“The bank has notified all impacted customers,” it said. “It has rectified the inaccurate information reported to the CCR in all but 20 cases which will be corrected shortly.

“The bank has engaged fully and proactively with the commission during its inquiry and will continue to do so as it implements these additional measures as quickly as possible.”