Bank apologises for errors giving 'unauthorised people' access to customers' online accounts

In total, 136 accounts were left exposed but the bank has said no one suffered a financial loss from the errors.

The reprimand and fine from the DPC bring the penalties for data breaches levied on Bank of Ireland to €1.2m in just 11 months.

The latest penalty stems from the result of an investigation into 10 personal data breaches reported by Bank of Ireland between January 30 and May 6, 2020, concerning the unauthorised access to and disclosure of personal data processed by Banking365.

Six of those breaches saw “unauthorised people” granted access to customer accounts online due to “staff not following BoI procedures correctly”.

The other four saw customers receiving unauthorised access due to a “flaw” in the algorithm of the bank’s customer information system, the DPC said.

In those cases, the bank was made aware of customers being able to view the account transaction details of third parties while logged into their own unique account. Some of the other breaches saw people given access to both the accounts of others and account services also.

In her published report, commissioner Helen Dixon said she disagreed with Bank of Ireland’s assessment that the risk of identity theft, fraud, or financial loss was low in the context of the reported data breaches due to the size of its customer base.

She said the manner by which BoI processes personal data via Banking365 “creates a high risk to the rights and freedoms of natural persons in terms of severity”, adding “the risks of fraud and identity theft would severely undermine a customer's relationship with the bank”.

The DPC found Bank of Ireland had breached the EU's data protection laws by failing to ensure the appropriate security of the personal data of its customers on the Banking365 platform, and by failing to implement the necessary technical measures to ensure that security.

The DPC noted further that BoI had prior knowledge of some of the issues with its processes, and had delayed for 21 months before implementing a technical fix for its customer information system, a fact the bank had attributed to the impact of covid-19.

Ms Dixon said the imposition of the €750,000 fine was necessary “to deter other future serious non-compliance on the part of BoI”.

A spokesperson for the bank said it accepted both the fine and the DPC’s decision, and said the bank “sincerely apologises for the errors” which gave rise to the penalty.

Last March, BoI was fined €463,000 by the DPC after an investigation found customers’ data was accidentally altered in such a way their credit ratings could have been damaged, thus preventing them from being approved for loans.