Bank of Ireland Breach – A Cautionary Tale

Fallout of a Data Breach

While the headlines of the Bank of Ireland internal breach loomed out of the newspaper stands over the weekend, no doubt causing huge embarrassment for the staff involved, it provides a perfect example of what will be punished strictly in a few short month’s time, when GDPR is in full effect.

The internal breach came from an email with an attached list of employees of the insurance and investments division of the bank. The offending email plus attachment was sent internally to 20 or so members of management in the company. This has created a massive internal issue as the information was verbally shared to staff internally and to non-employees externally. The compromised details reportedly included: salary, bonuses, pension, incentives and benefits for 70 private banking staff and 40 employees in insurance and investments*.

Data Breach
Data Breach

Damage Control?

The sender had intended to attach a list containing education awards relating to Institute of Banking exams. Even though the staff member  was able to recall the message from a number of recipients after the fact, it was too late as others had opened and forwarded it on.

To add insult to injury, the bank made the decision not to address the issue with the affected staff and the email came from within the HR department – where a lot of personal and personal sensitive Data resides by nature.

With other high profile negative news stories around the beleaguered bank doing the media circuits at the moment, a story of this sensitivity adds to an implied loss of reputation. An embarrasing situation with potentially medium to long term reputational damage, it is not what the organisation needs now.

But it could have been so much worse.

GDPR and MiFID II Regulations

Under legislation being introduced in the next 6 months, the regulatory response and penalties for a breach such as this would have been a lot more severe. With potential fines under the new GDPR legislation running as high as €20 M or 4% of turnover, the Data compliance landscape will be changing massively.

  • Mandatory breach notification A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
  • Risk Management The regulations on the storage, use and transmission of Personal and Personal Sensitive Information is about to get a radical overhaul with GDPR and the information reportedly transmitted in this breach would carry severe penalties.

While this was not a completely avoidable error, good Data Management practices and Data policies massively reduce the potential for Data to be accessed or moved beyond its intended purpose.

Waterford Technologies help organisations to address Data Management challenges for GDPR, MiFID II and other compliance regulations.

Book a free Data Strategy Review today.

GDPR Data Review

 

 

*Source – The Irish Times