Bank of Ireland – €750,000 Fine (Ireland, 2023)

This case concerns the Bank of Ireland (BOI) (the controller) and a data breach on the “BOI365” online banking platform. Between 30 January 2020 and 6 May 2020 the Irish DPA (DPC) received ten personal data breach notifications. In six of these breaches, unauthorised persons gained access to customer accounts online as a result of bank staff not following procedures correctly. The other four breaches were a result of flaws in the customer information system. On 12 August 2020, the DPC commenced an inquiry and the controller provided submissions on 25 November 2022 concerning: risk; methodology for assessment; testing; training and quality assurance; and categorisation of BOI’s actions. Issuing its decision, the DPC sought to determine whether the BOI has infringed Article 5(1)(f) GDPR and Article 32 GPDR in respect of its processing of personal data via the “BOI365” Service. The DPC’s holding addressed two main issues, the assessment of the risks and the appropriate level of security. Firstly, concerning the assessment of risks, the controller had argued that up until this instance, as far as they were aware, there had never been an instance of fraud or identity theft arising from these types of events. Therefore, in assessing the risk, it had appeared that it was only a potential harm. However, the DPC dismissed this argument, finding that, even if the risk had not materialised into a harm previosuly, this does not reduce the severity of the risk itself. They found that there is a high risk of fraud and identity theft, particularly to vulnerable users, and that these risks are heightened further by the large quantity of data stored on the platform. Overall, in terms of severity, the processing on the BOI365 platform posed a high risk to the rights and freedoms of data subjects. Secondly, regarding the appropriate level of security, it has held that BOI had a range of Data Protection Governance policies and procedures in place to ensure the integrity and security