DPC fines Permanent TSB for GDPR breaches
The data-protection watchdog has fined Permanent TSB (PTSB) a total of €277,500 for breaches of the GDPR.
This follows an inquiry by the Data Protection Commission (DPC) into a series of personal-data breaches at the bank, which were first reported to the commission in May 2022.
The probe found that PTSB failed to implement strong enough measures to ensure that data linked to customer accounts was protected.
According to the DPC, the bank also failed to notify it “without undue delay” and within 72 hours of becoming aware of the breaches.
Protocols not followed
The breaches occurred when malicious actors, in possession of certain customer information, called PTSB’s Open24 contact centre and posed as customers to gain access to their accounts and amend account details.
The DPC found that, in all three incidents, appropriate security protocols were not followed.
“The malicious actors were able to change details associated with the accounts and obtain additional account information,” it said.
“As a result, account holders were exposed to an increased risk of additional fraud. The account holders were forced to close their accounts, and, in some cases, suffered financial loss,” the DPC added.
The watchdog fined PTSB €250,000 for the failings linked to account security, while there was a penalty of €27,500 for the delay in notifying the DPC of the breaches. The commission also reprimanded the bank.