Back to Feed
PolicyJul 6, 2026

DPC (Ireland) - IN-22-7-3

Irish DPC fines PTSB €277,500 for GDPR violations following social engineering attacks.

Summary

The Irish Data Protection Commission (DPC) has fined Permanent TSB (PTSB) €277,500 for multiple GDPR violations. The breaches stemmed from social engineering attacks where malicious actors impersonated customers to gain unauthorized access to accounts via PTSB's Open24 Contact Centre. The DPC found that PTSB failed to implement adequate technical and organizational measures to secure sensitive personal and financial data, and also violated notification requirements by delaying reporting the breaches.

Full text

Help DPC (Ireland) - IN-22-7-3: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 13:31, 6 July 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators138 edits Tag: submission [1.0] Latest revision as of 13:59, 6 July 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators138 editsTag: Visual edit (One intermediate revision by the same user not shown)Line 21: Line 21: |Type=Investigation|Type=Investigation |Outcome=Violation Found|Outcome=Violation Found |Date_Started=|Date_Started=26.05.2022 |Date_Decided=|Date_Decided=30.04.2026 |Date_Published=|Date_Published= |Year=|Year= Line 72: Line 72: === Facts ====== Facts === PTSB, the controller, is a provider of banking services in Ireland. Its Open24 Contact Centre allows customers to access their accounts and perform banking operations by telephone.Permanent TSB Group, the controller, is a provider of banking services in Ireland. Its Open24 Contact Centre allows customers to access their accounts and perform banking operations by telephone. On 26 and 27 May 2022, the controller submitted three personal data breach notifications to the Data Protection Commission, the DPA. The breaches concerned social engineering attacks carried out between April and May 2022. Malicious actors contacted the controller’s call centre while impersonating three customers.On 26 and 27 May 2022, the controller submitted three personal data breach notifications to the Data Protection Commission, the DPA. The breaches concerned social engineering attacks carried out between April and May 2022. Malicious actors contacted the controller’s call centre while impersonating three customers. Line 84: Line 84: === Holding ====== Holding === The DPA held that the controller infringed Articles 5(1)(f) and 32(1) GDPR.The DPA held that the controller infringed [[Article 5 GDPR|Articles 5(1)(f)]] and [[Article 32 GDPR|32(1) GDPR]]. The processing carried out through the Open24 Contact Centre involved large quantities of sensitive personal and financial data. Unauthorised access could result in identity theft, loss of control over personal data, account takeover and financial loss. The likelihood and severity of these risks were therefore high.The processing carried out through the Open24 Contact Centre involved large quantities of sensitive personal and financial data. Unauthorised access could result in identity theft, loss of control over personal data, account takeover and financial loss. The likelihood and severity of these risks were therefore high. Line 90: Line 90: Although the controller had identified several relevant risks and had implemented certain security measures, these measures did not ensure a level of security appropriate to the risk. In particular, the controller had not implemented sufficient technical controls to prevent foreseeable human error or repeated social engineering attacks.Although the controller had identified several relevant risks and had implemented certain security measures, these measures did not ensure a level of security appropriate to the risk. In particular, the controller had not implemented sufficient technical controls to prevent foreseeable human error or repeated social engineering attacks. Call centre agents could change mobile telephone numbers and other important account details without mandatory backend validation confirming that the required security checks had been completed. The controller did not adequately log unsuccessful account-access attempts, alert agents to previous suspicious calls or require additional verification before significant changes were made to an account.Call centre agents could change mobile telephone numbers and other important account details without mandatory back-end validation confirming that the required security checks had been completed. The controller did not adequately log unsuccessful account-access attempts, alert agents to previous suspicious calls or require additional verification before significant changes were made to an account. The DPA also identified deficiencies in the controller’s organisational measures. There was no adequate procedure for alerting a manager or placing a warning on an account following unsuccessful attempts to access or change account information. This allowed malicious actors to contact multiple agents and gradually obtain the information necessary to take control of accounts.The DPA also identified deficiencies in the controller’s organisational measures. There was no adequate procedure for alerting a manager or placing a warning on an account following unsuccessful attempts to access or change account information. This allowed malicious actors to contact multiple agents and gradually obtain the information necessary to take control of accounts. The controller’s initial training was also insufficient. New agents received limited practical testing and were only required to pass one simulated call before handling customer calls. The DPA considered this inadequate given the sensitivity of the data, the complexity of the security procedures and the foreseeable risk of social engineering. Monitoring of calls and compliance with security procedures was similarly insufficient. The controller’s initial training was also insufficient. New agents received limited practical testing and were only required to pass one simulated call before handling customer calls. The DPA considered this inadequate given the sensitivity of the data, the complexity of the security procedures and the foreseeable risk of social engineering. Monitoring of calls and compliance with security procedures was similarly insufficient. The DPA clarified that Articles 5(1)(f) and 32(1) GDPR do not impose strict liability or require controllers to eliminate every possible risk. However, controllers must objectively assess the likelihood and severity of the risks and implement effective measures appropriate to those risks. In this case, the occurrence of several similar breaches involving repeated failures by different agents demonstrated that the measures were not effective.The DPA clarified that [[Article 5 GDPR|Articles 5(1)(f)]] and [[Article 32 GDPR|32(1) GDPR]] do not impose strict liability or require controllers to eliminate every possible risk. However, controllers must objectively assess the likelihood and severity of the risks and implement effective measures appropriate to those risks. In this case, the occurrence of several similar breaches involving repeated failures by different agents demonstrated that the measures were not effective. The DPA further held that the controller infringed [[Article 33 GDPR#1|Article 33(1) GDPR]] by failing to notify the three breaches without undue delay.The DPA further held that the controller infringed [[Article 33 GDPR#1|Article 33(1) GDPR]] by failing to notify the three breaches without undue delay. The controller delayed involving its data protection team while its fraud team investigated the incidents. It argued that time was needed to review calls and establish whether personal data breaches had occurred. The DPA rejected this reasoning. A controller must have procedures that allow it to identify potential personal data breaches promptly and cannot suspend its assessment until a separate fraud investigation has been completed. The controller delayed involving its data protection team while its fraud team investigated the incidents. It argued that time was needed to review calls and establish whether personal data breaches had occurred. The DPA rejected this reasoning. A controller must have procedures that allow it to identify potential personal data breaches promptly and cannot suspend its assessment until a separate fraud investigation has been completed. The DPA also found that, after the data protection team became aware of the incidents, there were

Entities

PTSB (vendor)