Bank of Ireland has been fined €463,000 by the Data Protection Commission, after an investigation found thousands of customers’ data was accidentally altered in such a way it could have damaged their credit ratings and prevented them getting loans.
The DPC found Bank of Ireland breached a number of articles of the General Data Protection Regulation (GDPR), which is the EU’s law on data protection and privacy, in relation to inaccurate information the bank sent to the Central Credit Register.
Between November 9, 2018, and June 27, 2019, the DPC received 22 breach notifications from Bank of Ireland in relation to the “corruption of information” the bank was sending to the Central Credit Register. In total, 19 of these incidents met the definition of “personal data breach” under GDPR.
In some cases, incorrect data was added to a customer’s file to indicate they were “in financial distress” when they weren’t.
When Bank of Ireland initially contacted the DPC about this error, it said one customer was affected.
“It ultimately transpired that approximately 47,000 data subjects were affected by this breach,” the DPC said, adding it took over a year and a half for Bank of Ireland to provide a final number of customers affected by this breach. This included more than 27,000 mortgage accounts.
With the Central Credit Register, people who have received loans can request their credit report to see what information a bank has submitted on their loans, while banks can use credit reports to get a picture of a person’s current lending and credit history.
This information can then be used by a bank to decide whether it should approve a loan application or not.
About 50,000 customers in all were affected by personal data breaches considered by the DPC, but it noted that all of the bank’s customers were affected “in that the failure to have appropriate technical and organisational measures in place could have resulted in any customer (and in some cases ex-customers’) personal data being erroneously disclosed to the Central Credit Register”.
“The Bank has notified all impacted customers. It has rectified the inaccurate information reported to the CCR in all but 20 cases which will be corrected shortly. It has also taken measures to improve its ongoing CCR reporting, including error management procedures and a process that enables faster correction of errors.”
If you have been notified of the breach by BOI, you may be entitled to compensation, fill out the form below to discuss.