Bank of Ireland fined $504K for credit rating data breaches

In its final decision dated March 14 but widely reported this week, the Irish DPC ruled 19 of the 22 notifications investigated counted as personal data breaches under the European Union’s General Data Protection Regulation (GDPR).

Between Nov. 9, 2018, and June 27, 2019, the bank self-reported a series of personal data breaches relating to errors in the data feed it submitted to the central credit register (CCR), a centralized system run by the Central Bank of Ireland that collects and securely stores information about loans.

The incidents included unauthorized disclosures of customer personal data to the CCR and accidental alterations of customer personal data on it.

In some cases, incorrect data was added to a customer’s file regarding either a restructured loan or mortgage to incorrectly indicate they were in “financial distress.”

The regulator said some of the infringements were “negligent in character.” One of the breaches—which took the bank 471 days since it occurred to notify the Irish DPC of—affected 47,000 data subjects.

The Irish DPC said the bank violated Articles 32, 33, and 34 of the GDPR by failing to have adequate technical and security measures in place to ensure data was transferred safely and for failing to promptly notify data subjects and the regulator about the breaches.

Alongside the fine, the data regulator ordered the bank to bring its technical and organizational measures in line with the GDPR’s requirements.

In a statement, the bank apologized and said it notified all impacted customers and “rectified the inaccurate information reported to the CCR in all but 20 cases, which will be corrected shortly.” It has also taken measures to improve its ongoing CCR reporting, including error management procedures and a process that enables faster correction of errors.