[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$frd7uvMqI2qn4OE97-roPUg8GUXg10SQzJBLfPpwT1wE":3},{"article":4,"iocs":46},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":23,"category":24,"article_tags":28},"14ef2900-0f13-496d-a060-bcfcbe3d635d","DPC (Ireland) - IN-22-7-3","dpc-ireland-in-22-7-3-e20a89","Created page with \"{{DPAdecisionBOX |Jurisdiction=Ireland |DPA-BG-Color=background-color:#013d35; |DPAlogo=LogoIE.png |DPA_Abbrevation=DPC |DPA_With_Country=DPC (Ireland) |Case_Number_Name=IN-22-7-3 |ECLI= |Original_Source_Name_1=DPC |Original_Source_Link_1=https:\u002F\u002Fwww.dataprotection.ie\u002Fsites\u002Fdefault\u002Ffiles\u002Fuploads\u002F2026-07\u002F20260430_PTSB_Final_Decision_redacted_IN-22-7-3.pdf |Original_Source_Language_1=English |Original_Source_Language__Code_1=EN |Original_Source_Name_2= |Original_Source_...\" Show changes","The Irish Data Protection Commission (DPC) has fined Permanent TSB €277,000 for violating GDPR. The bank failed to implement adequate security measures, allowing social engineering attacks to compromise customer accounts and personal data. Additionally, PTSB did not notify the DPC of three personal data breaches without undue delay.","Irish DPC fines Permanent TSB €277,000 for inadequate security and data breach notification failures.","Help DPC (Ireland) - IN-22-7-3: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 13:31, 6 July 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators138 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 13:31, 6 July 2026 DPC - IN-22-7-3 Authority: DPC (Ireland) Jurisdiction: Ireland Relevant Law: Article 5(1)(f) GDPR Article 32(1) GDPR Article 33(1) GDPR Type: Investigation Outcome: Violation Found Started: Decided: Published: Fine: 277,000 EUR Parties: Permanent TSB Group Holdings plc Data Protection Commission National Case Number\u002FName: IN-22-7-3 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): English Original Source: DPC (in EN) Initial Contributor: bms A banking service provider was fined €277,000 for inadequate security measures that enabled account takeovers and for failing to notify three personal data breaches without undue delay. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts PTSB, the controller, is a provider of banking services in Ireland. Its Open24 Contact Centre allows customers to access their accounts and perform banking operations by telephone. On 26 and 27 May 2022, the controller submitted three personal data breach notifications to the Data Protection Commission, the DPA. The breaches concerned social engineering attacks carried out between April and May 2022. Malicious actors contacted the controller’s call centre while impersonating three customers. In each incident, call centre agents failed to follow the applicable customer identification and security procedures. The malicious actors obtained or changed account information, including the mobile telephone numbers used for authentication. They were consequently able to access customer accounts and personal data. The affected data included identity, contact and financial data. Two data subjects suffered fraudulent transactions of approximately €35,000 and €10,000 respectively. These amounts were subsequently refunded. Although three data subjects were directly affected, the weaknesses in the controller’s call centre systems exposed a potentially much larger number of customers to similar attacks. The controller had implemented policies, customer authentication procedures, fraud monitoring systems and staff training. However, employees could manually amend important account information without mandatory technical validation. The controller also lacked an effective procedure for recording repeated failed authentication attempts, alerting staff to suspicious calls or escalating attempts to change account details. The DPA initiated an own-volition inquiry on 24 August 2022. It examined whether the controller had implemented appropriate technical and organisational measures and whether it had notified the breaches without undue delay. Holding The DPA held that the controller infringed Articles 5(1)(f) and 32(1) GDPR. The processing carried out through the Open24 Contact Centre involved large quantities of sensitive personal and financial data. Unauthorised access could result in identity theft, loss of control over personal data, account takeover and financial loss. The likelihood and severity of these risks were therefore high. Although the controller had identified several relevant risks and had implemented certain security measures, these measures did not ensure a level of security appropriate to the risk. In particular, the controller had not implemented sufficient technical controls to prevent foreseeable human error or repeated social engineering attacks. Call centre agents could change mobile telephone numbers and other important account details without mandatory backend validation confirming that the required security checks had been completed. The controller did not adequately log unsuccessful account-access attempts, alert agents to previous suspicious calls or require additional verification before significant changes were made to an account. The DPA also identified deficiencies in the controller’s organisational measures. There was no adequate procedure for alerting a manager or placing a warning on an account following unsuccessful attempts to access or change account information. This allowed malicious actors to contact multiple agents and gradually obtain the information necessary to take control of accounts. The controller’s initial training was also insufficient. New agents received limited practical testing and were only required to pass one simulated call before handling customer calls. The DPA considered this inadequate given the sensitivity of the data, the complexity of the security procedures and the foreseeable risk of social engineering. Monitoring of calls and compliance with security procedures was similarly insufficient. The DPA clarified that Articles 5(1)(f) and 32(1) GDPR do not impose strict liability or require controllers to eliminate every possible risk. However, controllers must objectively assess the likelihood and severity of the risks and implement effective measures appropriate to those risks. In this case, the occurrence of several similar breaches involving repeated failures by different agents demonstrated that the measures were not effective. The DPA further held that the controller infringed Article 33(1) GDPR by failing to notify the three breaches without undue delay. The controller delayed involving its data protection team while its fraud team investigated the incidents. It argued that time was needed to review calls and establish whether personal data breaches had occurred. The DPA rejected this reasoning. A controller must have procedures that allow it to identify potential personal data breaches promptly and cannot suspend its assessment until a separate fraud investigation has been completed. The DPA also found that, after the data protection team became aware of the incidents, there were no circumstances justifying further delays beyond the 72-hour notification period. The fact that the controller had secured the affected accounts and refunded the financial losses did not remove its obligation to notify the DPA without undue delay. The DPA considered the infringements negligent. The controller was aware of the risks associated with external fraud, human error and non-compliance with call centre procedures but failed to implement sufficiently effective controls. The DPA nevertheless took into account the controller’s remedial measures, cooperation, refunds to the affected data subjects and absence of relevant previous infringements. The DPA issued a reprimand under Article 58(2)(b) GDPR for the infringements of Articles 5(1)(f), 32(1) and 33(1) GDPR. It imposed an administrative fine of €250,000 for the infringements of Articles 5(1)(f) and 32(1) GDPR and a separate fine of €27,500 for the infringement of Article 33(1) GDPR. The total fine was therefore €277,500. The DPA did not issue an order to bring the processing into compliance under Article 58(2)(d) GDPR because the controller had already implemented ongoing remedial measures following the breaches. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the English original. Please refer to the English original for more details. In the matter of the General Data Protection Regulation DPC Case Reference: IN-22-7-3 In the matter of Permanent TSB plc trading as PTSB and PTSB Asset Finance Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act, 2018 Further to an own-volition inquiry commenced pursuant to Section 110 of the Data Protection Act 2018 Decision-Makers for the Data Protection Commission: ________________________________ Dr Des Hogan, Commis","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=DPC_(Ireland)_-_IN-22-7-3&diff=52069&oldid=0","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F8\u002F82\u002FLogoIE.png","2026-07-06T13:31:40+00:00","2026-07-06T14:00:24.449162+00:00",7,[18,21],{"name":19,"type":20},"Permanent TSB","vendor",{"name":22,"type":20},"DPC","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":23,"icon":25,"name":26,"slug":27},null,"GDPR","gdpr",[29,34,36,41],{"category":30},{"id":31,"icon":25,"name":32,"slug":33},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":35},{"id":23,"icon":25,"name":26,"slug":27},{"category":37},{"id":38,"icon":25,"name":39,"slug":40},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":42},{"id":43,"icon":25,"name":44,"slug":45},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]