The Data Protection Commission (DPC) has fined PTSB a total of €277,500 over a series of personal data breaches which were first reported to the DPC in May 2022.
The DPC said the breaches occurred when malicious actors, in possession of certain customer information, called the financial institution’s “Open24 Contact Centre” and posed as customers to gain access to their accounts and amend the details.
“In all three incidents, appropriate security protocols were not followed,” the DPC said in a statement.
“The malicious actors were able to change details associated with the accounts and obtain additional account information,” it stated.
“As a result, account holders were exposed to an increased risk of additional fraud. The account holders were forced to close their accounts, and, in some cases, suffered financial loss,” according to the DPC.
As part of the inquiry, the DPC said it assessed the appropriateness of PTSB’s technical and organisational measures for ensuring the security of personal data that it processed through its Open24 Contact Centre.
Following an investigation, the DPC has identified three breaches of the General Data Protection Regulation (GDPR).
The first relates to failing to ensure appropriate security of the personal data related to customer accounts using appropriate technical and organisational measures.
Another breach related to failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data within the Open24 Contact Centre.
The investigation also found that the bank had failed to notify the DPC without undue delay and within 72 hours of becoming aware of the breaches.
PTSB has been reprimanded and hit with fines totally €277,500.
A spokesperson for PTSB said it fully acknowledges the outcome of the DPC inquiry and sincerely apologises to the three customers affected by the incidents in 2022.
“At the time, the bank fully reimbursed the impacted customers for the monies fraudulently taken from their accounts by external fraudsters. The bank has co-operated fully with the Data Protection Commission in investigating this matter,” the bank said.
PTSB added that it takes data security extremely seriously and has made improvements to its processes to significantly reduce the risk of any incident of this nature reoccurring.
“We continue to invest in fraud prevention and security measures to strengthen safeguards and protect our customers,” PTSB said.
