PTSB fined €277,500 by Data Protection Commission

The Irish Data Protection Commission (DPC) has imposed a significant fine of €277,500 on PTSB, highlighting serious lapses in the bank's data protection protocols. This penalty stems from three distinct breaches of the General Data Protection Regulation (GDPR) that occurred in 2022.

“

In all three incidents, appropriate security protocols were not followed.

According to the DPC's findings, cybercriminals exploited vulnerabilities by impersonating customers to gain access to the bank's "Open24 Contact Centre." By posing as legitimate account holders, they were able to alter account details and obtain sensitive customer information. The DPC explicitly stated that "appropriate security protocols were not followed" in these incidents, directly contributing to the exposure of account holders to further fraudulent activities.

“

The malicious actors were able to change details associated with the accounts and obtain additional account information.

The investigation revealed that PTSB failed in its duty to implement adequate technical and organizational measures to secure personal data processed through its contact center. Furthermore, the bank did not notify the DPC of these breaches within the mandated 72-hour timeframe. The consequences for affected customers were severe, including being forced to close their accounts and, in some cases, suffering direct financial losses. This ruling underscores the critical importance of robust cybersecurity and timely breach notification for financial institutions operating under GDPR.

“

As a result, account holders were exposed to an increased risk of additional fraud.