DPC (Ireland) - IN-22-7-3
DPC fines Irish bank €277K for inadequate security enabling account takeovers and delayed breach notification
Summary
Ireland's Data Protection Commission (DPC) fined Permanent TSB Group Holdings €277,000 for inadequate security measures in its Open24 Contact Centre that enabled social engineering attacks leading to account takeovers between April–May 2022. The bank failed to follow customer identification procedures, allowing attackers to impersonate customers, obtain sensitive data, and commit fraudulent transactions. The violations included breaches of GDPR Articles 5(1)(f), 32(1), and 33(1) for insufficient technical controls, lack of mandatory validation for account changes, and delayed notification of three data breaches to the DPA.
Full text
Help DPC (Ireland) - IN-22-7-3: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 13:59, 6 July 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators145 editsTag: Visual edit← Older edit Latest revision as of 08:14, 8 July 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators145 editsTag: Visual edit Line 67: Line 67: }}}} A banking service provider was fined €277,000 for inadequate security measures that enabled account takeovers and for failing to notify three personal data breaches without undue delay.A banking service provider was fined €277,000 for inadequate security measures that enabled account takeovers by malicious actors and for failing to notify the DPA about three personal data breaches without undue delay. == English Summary ==== English Summary == Latest revision as of 08:14, 8 July 2026 DPC - IN-22-7-3 Authority: DPC (Ireland) Jurisdiction: Ireland Relevant Law: Article 5(1)(f) GDPR Article 32(1) GDPR Article 33(1) GDPR Type: Investigation Outcome: Violation Found Started: 26.05.2022 Decided: 30.04.2026 Published: Fine: 277,000 EUR Parties: Permanent TSB Group Holdings plc Data Protection Commission National Case Number/Name: IN-22-7-3 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): English Original Source: DPC (in EN) Initial Contributor: bms A banking service provider was fined €277,000 for inadequate security measures that enabled account takeovers by malicious actors and for failing to notify the DPA about three personal data breaches without undue delay. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Permanent TSB Group, the controller, is a provider of banking services in Ireland. Its Open24 Contact Centre allows customers to access their accounts and perform banking operations by telephone. On 26 and 27 May 2022, the controller submitted three personal data breach notifications to the Data Protection Commission, the DPA. The breaches concerned social engineering attacks carried out between April and May 2022. Malicious actors contacted the controller’s call centre while impersonating three customers. In each incident, call centre agents failed to follow the applicable customer identification and security procedures. The malicious actors obtained or changed account information, including the mobile telephone numbers used for authentication. They were consequently able to access customer accounts and personal data. The affected data included identity, contact and financial data. Two data subjects suffered fraudulent transactions of approximately €35,000 and €10,000 respectively. These amounts were subsequently refunded. Although three data subjects were directly affected, the weaknesses in the controller’s call centre systems exposed a potentially much larger number of customers to similar attacks. The controller had implemented policies, customer authentication procedures, fraud monitoring systems and staff training. However, employees could manually amend important account information without mandatory technical validation. The controller also lacked an effective procedure for recording repeated failed authentication attempts, alerting staff to suspicious calls or escalating attempts to change account details. The DPA initiated an own-volition inquiry on 24 August 2022. It examined whether the controller had implemented appropriate technical and organisational measures and whether it had notified the breaches without undue delay. Holding The DPA held that the controller infringed Articles 5(1)(f) and 32(1) GDPR. The processing carried out through the Open24 Contact Centre involved large quantities of sensitive personal and financial data. Unauthorised access could result in identity theft, loss of control over personal data, account takeover and financial loss. The likelihood and severity of these risks were therefore high. Although the controller had identified several relevant risks and had implemented certain security measures, these measures did not ensure a level of security appropriate to the risk. In particular, the controller had not implemented sufficient technical controls to prevent foreseeable human error or repeated social engineering attacks. Call centre agents could change mobile telephone numbers and other important account details without mandatory back-end validation confirming that the required security checks had been completed. The controller did not adequately log unsuccessful account-access attempts, alert agents to previous suspicious calls or require additional verification before significant changes were made to an account. The DPA also identified deficiencies in the controller’s organisational measures. There was no adequate procedure for alerting a manager or placing a warning on an account following unsuccessful attempts to access or change account information. This allowed malicious actors to contact multiple agents and gradually obtain the information necessary to take control of accounts. The controller’s initial training was also insufficient. New agents received limited practical testing and were only required to pass one simulated call before handling customer calls. The DPA considered this inadequate given the sensitivity of the data, the complexity of the security procedures and the foreseeable risk of social engineering. Monitoring of calls and compliance with security procedures was similarly insufficient. The DPA clarified that Articles 5(1)(f) and 32(1) GDPR do not impose strict liability or require controllers to eliminate every possible risk. However, controllers must objectively assess the likelihood and severity of the risks and implement effective measures appropriate to those risks. In this case, the occurrence of several similar breaches involving repeated failures by different agents demonstrated that the measures were not effective. The DPA further held that the controller infringed Article 33(1) GDPR by failing to notify the three breaches without undue delay. The controller delayed involving its data protection team while its fraud team investigated the incidents. It argued that time was needed to review calls and establish whether personal data breaches had occurred. The DPA rejected this reasoning. A controller must have procedures that allow it to identify potential personal data breaches promptly and cannot suspend its assessment until a separate fraud investigation has been completed. The DPA also found that, after the data protection team became aware of the incidents, there were no circumstances justifying further delays beyond the 72-hour notification period. The fact that the controller had secured the affected accounts and refunded the financial losses did not remove its obligation to notify the DPA without undue delay. The DPA considered the infringements negligent. The controller was aware of the risks associated with external fraud, human error and non-compliance with call centre procedures but failed to implement sufficiently effective controls. The DPA nevertheless took into account the controller’s remedial measures, cooperation, refunds to the affected data subjects and absence of relevant previous infringements. The DPA issued a reprimand under Article 58(2)(b) GDPR and imposed an administrative fine of €250,000 for the infringements of Articles 5(1)(f) and 32(1) GDPR and a separate fine of €27,500 for the infringement of Article 33(1) GDPR. The total fine was therefore €277,500. The DPA did not issue an order to bring the processing into compliance under Article 58(2)(d) GDPR because the controller had already implemented ongoing remedial measures following the breaches. Comment Share your comments here! Further Resources Share blogs or news articles here! E