NEWS: Irish bank PTSB fined after fraudsters access customer accounts

By PAUL O’DONOGHUE, Senior Correspondent

IRELAND’S Data Protection Commission (DPC) has fined PTSB €277,500 over a series of personal data breaches linked to fraud.

The breaches first came to the regulator’s attention in May 2022. The DPC said fraudsters used customer information to impersonate account holders when calling the bank. They then gained access to accounts and changed customer details.

“In all three incidents, appropriate security protocols were not followed,” the DPC said.

The regulator said the attackers changed account information and obtained additional customer data.

“As a result, account holders were exposed to an increased risk of additional fraud. The account holders were forced to close their accounts, and, in some cases, suffered financial loss,” according to the DPC.

The DPC examined whether PTSB had proper controls in place to protect customer data processed through the firm’s Open24 Contact Centre.

PTSB fraud failings

The investigation identified three breaches of the General Data Protection Regulation (GDPR). The DPC said the bank failed to properly secure customer data. It also failed to introduce measures appropriate to the level of risk within the contact centre.

The regulator further found that PTSB did not notify the DPC “without undue delay” and within the required 72-hour reporting period.

Alongside the fine, the DPC also issued a reprimand.

A spokesperson for PTSB said: “The bank fully reimbursed the impacted customers for the monies fraudulently taken from their accounts by external fraudsters. The bank has co-operated fully with the Data Protection Commission in investigating this matter.”

PTSB added that it takes data security “extremely seriously” and has improved its controls to reduce the risk of similar incidents happening again.

“We continue to invest in fraud prevention and security measures to strengthen safeguards and protect our customers,” the bank said.