DPC Fines Bank of Ireland €463,000 Over Data Breaches

The Irish Data Protection Commission (DPC) fined the Bank of Ireland €463,000 for unauthorized disclosures of 50,000+ customers’ personal data. The DPC also found that the bank had made “negligent” alterations to its clients’ data. To make matters worse, the bank took too long to report these data breaches to customers, which increased the severity of the fine.

In 2018, the GDPR introduced new legislation which requires that all organizations (including banks) report data breaches to the relevant supervisory authority. The Bank of Ireland reported 22 data breaches in the form of information sent to the Central Credit Register (CCR) between November 2018 and June 2019. The DPC investigated these notifications and found that 19 of them count as personal data breaches under the GDPR.

These breaches weren’t reported to the public until now, when the DPC published its findings. Even if you don’t work with the Bank of Ireland, this news is still a cause for alarm. It shines a light on how easily companies can corrupt or expose your data, which can have real consequences on your life.

Why the DPC Fined the Bank of Ireland

The CCR is a centralized system managed by the Central Bank of Ireland that collects and stores information about loans. The Bank of Ireland is required to submit information to it every month, except for the fact that it made unauthorized disclosures of customers’ personal data. The bank also made a series of errors in the data feed it submitted.

In some cases, incorrect data was added to customers’ files regarding restructured loans or mortgages to specify that they were in “financial distress”. The bank hasn’t provided information on whether these errors had impacted its customers’ financial prospects before they were corrected.

The CCP determined that the bank also violated Articles 32, 33, and 34 of the GDPR. The violations include:

          • Failing to have adequate technical and security measures in place to ensure data was transferred safely.
          • Failing to promptly notify data subjects and the regulator about the breaches.

While the bank released a statement to assure customers it’s correcting the errors and implementing a better system, it still mishandled their data. That’s concerning because, like medical institutions, government organizations, and insurance companies, banks collect and store a lot of private information.

Despite the bank’s assurance that it “takes regulatory and compliance obligations seriously”… this isn’t BoI’s first IT-related fine.

The Bank of Ireland Has Been Fined Before

The Central Bank fined the Bank of Ireland €24.5m in 2021 for breaching regulations regarding its IT infrastructure. The bank failed to put a robust system in place that can ensure continuity of service in the event of system disruption.

The Bank of Ireland had self-identified 5 regulatory breaches between 2008 and 2019. Yet the institution only began to recognize and address these issues in 2015. According to the bank, the problems were fully corrected in 2019.

Even though these were regulatory breaches and not data breaches, it’s concerning how carelessly a financial institution treats its network architecture. If you can’t trust a bank to protect your personal data or maintain its IT systems, who can you trust?

Organizations Aren’t Protecting Your Personal Data, So You Should

TData breaches happen on a daily basis now. Plus, as the Lapsus$ gang’s recent spate of attacks prove, even large companies with presumably robust security measures can be easily breached. Regardless of how your data is exposed, the fact remains that companies aren’t doing enough to secure your information.

It’s good PR for a company to say they “take security seriously,” but that’s essentially meaningless if their practices don’t line up. Since companies can’t always (or don’t, in some cases) protect your data, you need to restrict how much information you share with them. Companies and governments collect massive amounts of information about you.

You can’t always get out of sharing some information with organizations, but you can limit the amount of information you generally share:

          • Take a moment to consider before you share something on social media.
          • Be more selective when creating new accounts.
          • Don’t fill in optional information. Many services ask for a long list of personal data that isn’t required to create the account.

When you install CyberGhost VPN, you also improve your online privacy and secure your data. CyberGhost VPN protects your connection using strong 256-bit AES encryption and hides your IP address. That way, the government and any third parties can’t see what you’re doing online. As a bonus, websites won’t be able to track you around the web.

Ever heard of big data? When you surf the web, you create a digital footprint. Companies can track your footprint via your traffic and IP address then use it to profile you. Some organizations, like advertisers, buy this information. CyberGhost VPN prevents that by making your online actions anonymous. Keep in mind that websites will still retain any information you share with them.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*