[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVviDSpuC0VTszyAvZyfLTNpbu_Qi3rJicikRlw8xTlk":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"73bc785a-fc45-4239-a784-cbe34558404f","DPC (Ireland) - IN-22-7-3","dpc-ireland-in-22-7-3-acdddf","← Older revision Revision as of 13:59, 6 July 2026 (One intermediate revision by the same user not shown) Line 21: Line 21: |Type=Investigation |Type=Investigation |Outcome=Violation Found |Outcome=Violation Found |Date_Started= |Date_Started=26.05.2022 |Date_Decided= |Date_Decided=30.04.2026 |Date_Published= |Date_Published= |Year= |Year= Line 72: Line 72: === Facts === === Facts === PTSB, the controller, is a provider of banking services in Ireland. Its Open24 Contact Centre allows customers to access their accounts and perform banking operations by telephone. Permanent TSB Group, the controller, is a provider of banking services in Ireland. Its Open24 Contact Centre allows customers to access their accounts and perform banking operations by telephone. On 26 and 27 May 2022, the controller submitted three personal data breach notifications to the Data Protection Commission, the DPA. The breaches concerned social engineering attacks carried out between April and May 2022. Malicious actors contacted the controller’s call centre while impersonating three customers. On 26 and 27 May 2022, the controller submitted three personal data breach notifications to the Data Protection Commission, the DPA. The breaches concerned social engineering attacks carried out between April and May 2022. Malicious actors contacted the controller’s call centre while impersonating three customers. Line 84: Line 84: === Holding === === Holding === The DPA held that the controller infringed Articles 5(1)(f) and 32(1) GDPR. The DPA held that the controller infringed [[Article 5 GDPR|Articles 5(1)(f)]] and [[Article 32 GDPR|32(1) GDPR]]. The processing carried out through the Open24 Contact Centre involved large quantities of sensitive personal and financial data. Unauthorised access could result in identity theft, loss of control over personal data, account takeover and financial loss. The likelihood and severity of these risks were therefore high. The processing carried out through the Open24 Contact Centre involved large quantities of sensitive personal and financial data. Unauthorised access could result in identity theft, loss of control over personal data, account takeover and financial loss. The likelihood and severity of these risks were therefore high. Line 90: Line 90: Although the controller had identified several relevant risks and had implemented certain security measures, these measures did not ensure a level of security appropriate to the risk. In particular, the controller had not implemented sufficient technical controls to prevent foreseeable human error or repeated social engineering attacks. Although the controller had identified several relevant risks and had implemented certain security measures, these measures did not ensure a level of security appropriate to the risk. In particular, the controller had not implemented sufficient technical controls to prevent foreseeable human error or repeated social engineering attacks. Call centre agents could change mobile telephone numbers and other important account details without mandatory backend validation confirming that the required security checks had been completed. The controller did not adequately log unsuccessful account-access attempts, alert agents to previous suspicious calls or require additional verification before significant changes were made to an account. Call centre agents could change mobile telephone numbers and other important account details without mandatory back-end validation confirming that the required security checks had been completed. The controller did not adequately log unsuccessful account-access attempts, alert agents to previous suspicious calls or require additional verification before significant changes were made to an account. The DPA also identified deficiencies in the controller’s organisational measures. There was no adequate procedure for alerting a manager or placing a warning on an account following unsuccessful attempts to access or change account information. This allowed malicious actors to contact multiple agents and gradually obtain the information necessary to take control of accounts. The DPA also identified deficiencies in the controller’s organisational measures. There was no adequate procedure for alerting a manager or placing a warning on an account following unsuccessful attempts to access or change account information. This allowed malicious actors to contact multiple agents and gradually obtain the information necessary to take control of accounts. The controller’s initial training was also insufficient. New agents received limited practical testing and were only required to pass one simulated call before handling customer calls. The DPA considered this inadequate given the sensitivity of the data, the complexity of the security procedures and the foreseeable risk of social engineering. Monitoring of calls and compliance with security procedures was similarly insufficient. The controller’s initial training was also insufficient. New agents received limited practical testing and were only required to pass one simulated call before handling customer calls. The DPA considered this inadequate given the sensitivity of the data, the complexity of the security procedures and the foreseeable risk of social engineering. Monitoring of calls and compliance with security procedures was similarly insufficient. The DPA clarified that Articles 5(1)(f) and 32(1) GDPR do not impose strict liability or require controllers to eliminate every possible risk. However, controllers must objectively assess the likelihood and severity of the risks and implement effective measures appropriate to those risks. In this case, the occurrence of several similar breaches involving repeated failures by different agents demonstrated that the measures were not effective. The DPA clarified that [[Article 5 GDPR|Articles 5(1)(f)]] and [[Article 32 GDPR|32(1) GDPR]] do not impose strict liability or require controllers to eliminate every possible risk. However, controllers must objectively assess the likelihood and severity of the risks and implement effective measures appropriate to those risks. In this case, the occurrence of several similar breaches involving repeated failures by different agents demonstrated that the measures were not effective. The DPA further held that the controller infringed [[Article 33 GDPR#1|Article 33(1) GDPR]] by failing to notify the three breaches without undue delay. The DPA further held that the controller infringed [[Article 33 GDPR#1|Article 33(1) GDPR]] by failing to notify the three breaches without undue delay. The controller delayed involving its data protection team while its fraud team investigated the incidents. It argued that time was needed to review calls and establish whether personal data breaches had occurred. The DPA rejected this reasoning. A controller must have procedures that allow it to identify potential personal data breaches promptly and cannot suspend its assessment until a separate fraud investigation has been completed. The controller delayed involving its data protection team while its fraud team investigated the incidents. It argued that time was needed to review calls and establish whether personal data breaches had occurred. The DPA rejected this reasoning. A controller must have procedures that allow it to identify potential personal data breaches promptly and cannot suspend its assessment until a separate fraud investigation has been completed. The DPA also found that, after the data protection team became aware of the incidents, there were no circumstances justifying further delays beyond the 72-hour notification period. The fact that the controller had secured the affected accounts and refunded the financial losses did not remove its obligation to notify the DPA without undue delay. The DPA also found that, after the data protection team became aware of the incidents, there were no circumstances justifying further delays beyond the 72-hour notification period. The fact that the controller had secured the affected accounts and refunded the financial losses did not remove its obligation to notify the DPA without undue delay. Line 104: Line 102: The DPA considered the infringements negligent. The controller was aware of the risks associated with external fraud, human error and non-compliance with call centre procedures but failed to implement sufficiently effective controls. The DPA nevertheless took into account the controller’s remedial measures, cooperation, refunds to the affected data subjects and absence of relevant previous infringements. The DPA considered the infringements negligent. The controller was aware of the risks associated with external fraud, human error and non-compliance with call centre procedures but failed to implement sufficiently effective controls. The DPA nevertheless took into account the controller’s remedial measures, cooperation, refunds to the affected data subjects and absence of relevant previous infringements. The DPA issued a reprimand under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] for the infringements of Articles 5(1)(f), 32(1) and 33(1) GDPR. The DPA issued a reprimand under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] and imposed an administrative fine of €250,000 for the infringements of [[Article 5 GDPR|Articles 5(1)(f)]] and [[Article 32 GDPR|32(1) GDPR]] and a separate fine of €27,500 for the infringement of [[Article 33 GDPR#1|Article 33(1) GDPR]]. The total fine was therefore €277,500. It imposed an administrative fine of €250,000 for the infringements of Articles 5(1)(f) and 32(1) GDPR and a separate fine of €27,500 for the infringement of [[Article 33 GDPR#1|Article 33(1) GDPR]]. The total fine was therefore €277,500. The DPA did not issue an order to bring the processing into compliance under [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]] because the controller had already implemented ongoing remedial measures following the breaches. The DPA did not issue an order to bring the processing into compliance under [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]] because the controller had already implemented ongoing remedial measures following the breaches.","The Irish Data Protection Commission (DPC) has fined Permanent TSB (PTSB) €277,500 for multiple GDPR violations. The breaches stemmed from social engineering attacks where malicious actors impersonated customers to gain unauthorized access to accounts via PTSB's Open24 Contact Centre. The DPC found that PTSB failed to implement adequate technical and organizational measures to secure sensitive personal and financial data, and also violated notification requirements by delaying reporting the breaches.","Irish DPC fines PTSB €277,500 for GDPR violations following social engineering attacks.","Help DPC (Ireland) - IN-22-7-3: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 13:31, 6 July 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators138 edits Tag: submission [1.0] Latest revision as of 13:59, 6 July 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators138 editsTag: Visual edit (One intermediate revision by the same user not shown)Line 21: Line 21: |Type=Investigation|Type=Investigation |Outcome=Violation Found|Outcome=Violation Found |Date_Started=|Date_Started=26.05.2022 |Date_Decided=|Date_Decided=30.04.2026 |Date_Published=|Date_Published= |Year=|Year= Line 72: Line 72: === Facts ====== Facts === PTSB, the controller, is a provider of banking services in Ireland. Its Open24 Contact Centre allows customers to access their accounts and perform banking operations by telephone.Permanent TSB Group, the controller, is a provider of banking services in Ireland. Its Open24 Contact Centre allows customers to access their accounts and perform banking operations by telephone. On 26 and 27 May 2022, the controller submitted three personal data breach notifications to the Data Protection Commission, the DPA. The breaches concerned social engineering attacks carried out between April and May 2022. Malicious actors contacted the controller’s call centre while impersonating three customers.On 26 and 27 May 2022, the controller submitted three personal data breach notifications to the Data Protection Commission, the DPA. The breaches concerned social engineering attacks carried out between April and May 2022. Malicious actors contacted the controller’s call centre while impersonating three customers. Line 84: Line 84: === Holding ====== Holding === The DPA held that the controller infringed Articles 5(1)(f) and 32(1) GDPR.The DPA held that the controller infringed [[Article 5 GDPR|Articles 5(1)(f)]] and [[Article 32 GDPR|32(1) GDPR]]. The processing carried out through the Open24 Contact Centre involved large quantities of sensitive personal and financial data. Unauthorised access could result in identity theft, loss of control over personal data, account takeover and financial loss. The likelihood and severity of these risks were therefore high.The processing carried out through the Open24 Contact Centre involved large quantities of sensitive personal and financial data. Unauthorised access could result in identity theft, loss of control over personal data, account takeover and financial loss. The likelihood and severity of these risks were therefore high. Line 90: Line 90: Although the controller had identified several relevant risks and had implemented certain security measures, these measures did not ensure a level of security appropriate to the risk. In particular, the controller had not implemented sufficient technical controls to prevent foreseeable human error or repeated social engineering attacks.Although the controller had identified several relevant risks and had implemented certain security measures, these measures did not ensure a level of security appropriate to the risk. In particular, the controller had not implemented sufficient technical controls to prevent foreseeable human error or repeated social engineering attacks. Call centre agents could change mobile telephone numbers and other important account details without mandatory backend validation confirming that the required security checks had been completed. The controller did not adequately log unsuccessful account-access attempts, alert agents to previous suspicious calls or require additional verification before significant changes were made to an account.Call centre agents could change mobile telephone numbers and other important account details without mandatory back-end validation confirming that the required security checks had been completed. The controller did not adequately log unsuccessful account-access attempts, alert agents to previous suspicious calls or require additional verification before significant changes were made to an account. The DPA also identified deficiencies in the controller’s organisational measures. There was no adequate procedure for alerting a manager or placing a warning on an account following unsuccessful attempts to access or change account information. This allowed malicious actors to contact multiple agents and gradually obtain the information necessary to take control of accounts.The DPA also identified deficiencies in the controller’s organisational measures. There was no adequate procedure for alerting a manager or placing a warning on an account following unsuccessful attempts to access or change account information. This allowed malicious actors to contact multiple agents and gradually obtain the information necessary to take control of accounts. The controller’s initial training was also insufficient. New agents received limited practical testing and were only required to pass one simulated call before handling customer calls. The DPA considered this inadequate given the sensitivity of the data, the complexity of the security procedures and the foreseeable risk of social engineering. Monitoring of calls and compliance with security procedures was similarly insufficient. The controller’s initial training was also insufficient. New agents received limited practical testing and were only required to pass one simulated call before handling customer calls. The DPA considered this inadequate given the sensitivity of the data, the complexity of the security procedures and the foreseeable risk of social engineering. Monitoring of calls and compliance with security procedures was similarly insufficient. The DPA clarified that Articles 5(1)(f) and 32(1) GDPR do not impose strict liability or require controllers to eliminate every possible risk. However, controllers must objectively assess the likelihood and severity of the risks and implement effective measures appropriate to those risks. In this case, the occurrence of several similar breaches involving repeated failures by different agents demonstrated that the measures were not effective.The DPA clarified that [[Article 5 GDPR|Articles 5(1)(f)]] and [[Article 32 GDPR|32(1) GDPR]] do not impose strict liability or require controllers to eliminate every possible risk. However, controllers must objectively assess the likelihood and severity of the risks and implement effective measures appropriate to those risks. In this case, the occurrence of several similar breaches involving repeated failures by different agents demonstrated that the measures were not effective. The DPA further held that the controller infringed [[Article 33 GDPR#1|Article 33(1) GDPR]] by failing to notify the three breaches without undue delay.The DPA further held that the controller infringed [[Article 33 GDPR#1|Article 33(1) GDPR]] by failing to notify the three breaches without undue delay. The controller delayed involving its data protection team while its fraud team investigated the incidents. It argued that time was needed to review calls and establish whether personal data breaches had occurred. The DPA rejected this reasoning. A controller must have procedures that allow it to identify potential personal data breaches promptly and cannot suspend its assessment until a separate fraud investigation has been completed. The controller delayed involving its data protection team while its fraud team investigated the incidents. It argued that time was needed to review calls and establish whether personal data breaches had occurred. The DPA rejected this reasoning. A controller must have procedures that allow it to identify potential personal data breaches promptly and cannot suspend its assessment until a separate fraud investigation has been completed. The DPA also found that, after the data protection team became aware of the incidents, there were","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=DPC_(Ireland)_-_IN-22-7-3&diff=52071&oldid=52069","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F8\u002F82\u002FLogoIE.png","2026-07-06T13:59:44+00:00","2026-07-06T14:00:24.449162+00:00",7,[18],{"name":19,"type":20},"PTSB","vendor","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":21,"icon":23,"name":24,"slug":25},null,"Policy","policy",[27,32,37,39],{"category":28},{"id":29,"icon":23,"name":30,"slug":31},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":33},{"id":34,"icon":23,"name":35,"slug":36},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":38},{"id":21,"icon":23,"name":24,"slug":25},{"category":40},{"id":41,"icon":23,"name":42,"slug":43},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]