The Bank of Ireland has been issued a €750,000 fine after it committed a series of data breaches.
Ireland’s DPC (Data Protection Commission) issued the fine after investigating ten cases in which users of the bank’s online app were shown information about other people’s accounts.
The probe revealed that this was caused by two separate errors and that 136 accounts were compromised.
In six of the ten cases, staff failed to follow bank procedures correctly, resulting in account details being mixed up. In the other cases, a flaw in the bank’s customer information system created the breach.
The DPC ruled that the Bank of Ireland had breached Articles 5 and 32 of the GDPR (General Data Protection Regulation), which state that organisations must process personal data lawfully, fairly and transparently, and that appropriate technical and organisational measures must be implemented to secure personal data.
A steep fine
It seems unthinkable that the Bank of Ireland could have made two unrelated mistakes that both led to customer account information being compromised, but given the number of data breaches we see each day, perhaps we shouldn’t be surprised.
Nonetheless, the improbability of this scenario points to major failures at the bank and surely factored in the DPC’s final judgement.
A €750,000 fine might not sound like much, at least in relation to the GDPR’s much-discussed maximum penalty of €20 million or 4% of the organisation’s annual global turnover. However, it’s one of the largest sanctions in recent memory.
Besides those multi-million euro penalties, the sorts that you’d expect for tech giants whose mistakes will result in multi-million people being affected, the only other GDPR fine this year that exceeds this one is the €900,000 punishment given to the Danish fitness firm Sats for failing to uphold data subjects’ rights.
In that instance, 700,000 people were affected, so you can understand why such a heavy fine was necessary. GDPR fines are typically considered along two axes: the number of people affected and the damage that has been caused.
The further up each axis you go, the larger the penalty, while you have to hit both in order to edge towards the GDPR’s top-level fines.
There are other factors that will influence regulators’ decision-making process, such as the organisation’s response to the breach, its willingness to accept fault and its cooperation with investigators.
But in general, a significant fine indicates that either vast numbers of people have been affected or that serious damage has been incurred.
In the Bank of Ireland case, only 136 people were affected, which points towards severe threats to individuals’ data security and privacy.
And, yes, users’ bank account information was exposed, but it fell into the hands of other customers who weren’t actively seeking out this information.
The Bank of Ireland said it’s confident that no one suffered financial losses as a result of the breach and that there was little risk of identity theft or fraud, but Data Protection Commissioner Helen Dixon disagreed.
In her report, she said the manner in which the bank processes personal data via its app “creates a high risk to the rights and freedoms of natural persons in terms of severity”, adding “the risks of fraud and identity theft would severely undermine a customer’s relationship with the bank”.
The bank has responded appropriately to the investigation and subsequent fine – apologising for its mistake and committing to improving its data protection practices.
In a statement, it said: “We take very seriously our regulatory and compliance obligations – and our duty to customers – and we acknowledge that we fell short in this instance.”
“The bank has rectified the IT issue which caused some of the errors. We have also introduced additional quality assurance checks, conducted enhanced training for staff to address manual errors, and centralised a number of teams in order to improve data management and oversight.”
However, the DPC’s response indicates underlying problems. Less than a year ago, the Bank of Ireland was a given a €463,000 fine for a series of data breaches between 2018 and 2019.
In one instance, the data of 47,000 customers was compromised even though the bank’s initial notification said that only one individual was affected.
That penalty also related to widespread areas of non-compliance, including a failure to implement appropriate technical and organisational measures, a failure to report data breaches without undue delay and a failure to notify affected individuals about those breaches.
This latest fine represents a punishment not only for this incident but the Bank of Ireland’s failure to learn from its past mistakes.
In its final decision, the DPC noted the Bank of Ireland had prior knowledge of some of the processes that created this breach, but it had waited 21 months before implementing a technical fix.
The bank said the delay was due to the ongoing disruption caused by the pandemic, but the DPC’s judgement proves that excuse isn’t good enough.
Dixon concluded that the €750,000 fine was necessary “to deter other future serious non-compliance on the part of the [Bank of Ireland].”
A spokesperson for the bank said it accepted the fine, and said that it “sincerely apologises for the errors” which gave rise to the penalty.