Data Breach at the Bank of Ireland

TheBishopOfSoho · 09-05-2018 05:43PM #1

Hi there, I received a letter from the Bank of Ireland informing me that my details were involved in a data breach going back up to 7 years. It seems that internal emails of BOI employees, containing my name, account number and balance, had been emailed internally, and printed out, and someone external to the bank had handed these printed emails into the bank.

Im pretty stressed that this has happened for obvious reasons, and opened a formal complaint, but its very clear that BOI have broken the law here. They have mentioned that they have informed the Data Protection Commissioners office, but what does that mean? What will the DPC do from there? What options do I have in terms of challenging the bank on this, when they say that the 3 people listed on the emails no longer work for the bank so they cannot investigate further?

Peregrinus · 10-05-2018 01:26AM

What remedy do you want?

TheBishopOfSoho · 10-05-2018 06:32AM

Peregrinus wrote: »

What remedy do you want?

What I'm asking I suppose is 2 things:

What does the DPC do when notified of a breach?

What options do I have legally if DPC doesn't do much, I'm not entirely sure the bank are being straight with me, and won't say where this information was handed in, or whether this is a local breach where someone here would know my information.

yosser hughes · 10-05-2018 06:38AM

The bank are required to notify the DPC. They will have to satisfy that they have investigated the issue and remedies to prevent reocurrence are put in place.
These things happen.
Have you suffered any loss as a result? If not, what exactly are you looking for apart from an apology?

TheBishopOfSoho · 10-05-2018 06:47AM

yosser hughes wrote: »

The bank are required to notify the DPC. They will have to satisfy that they have investigated the issue and remedies to prevent reocurrence are put in place.
These things happen.
Have you suffered any loss as a result? If not, what exactly are you looking for apart from an apology?

Someone at the bank printed off a load of files with confidential information off them, and.took them home, they say they cannot investigate this as the people involved no longer work with the bank. That seems like like a cop out, what has happened shouldn't have, they have failed in their duty of care with my data and the people involved should still be liable. I want to know exactly how someone from the public came.to have details of my bank accounts and balances. This may not be a big deal to some people but it's worrying that someone locally will have information about me.i don't want share. Will the DPC dig into this, or just brush it up with a generic "All procedures have been followed" line, or do I have legal right to chase this to find out more?

Reati · 10-05-2018 06:50AM

Peregrinus wrote: »

What remedy do you want?

A heavy fine. Banks seem to do this frequently and nothing hurts home more than a large fine or simular.

OldMrBrennan83 · 10-05-2018 06:50AM

This post has been deleted.

Bubbaclaus · 10-05-2018 06:52AM

These things happen. You've suffered no loss because of it. Move on.

Peregrinus · 10-05-2018 06:57AM

TheBishopOfSoho wrote: »

What I'm asking I suppose is 2 things:

What does the DPC do when notified of a breach?

The DPC is mainly concerned to know how the breach happened, and what steps have been taken to prevent it from happening again.

TheBishopOfSoho wrote: »

What options do I have legally if DPC doesn't do much, I'm not entirely sure the bank are being straight with me, and won't say where this information was handed in, or whether this is a local breach where someone here would know my information.

Your concerns are different from the DPC's; you are concerned to assess what risk to you personally the breach presents, and what steps you can take to miminise that risk. At the moment, as I understand it, you have no reason tot think that any actual harm has yet occurred to you because of the breach, but you are concerned that it could.

I wouldn't be relying on the DPC to sort this for you; that's not the DPC's role.

If the bank gave you more information (such as, how long the data was out there, what branch it was handed in it, what data exactly was in the e-mails) you'd be somewhat better placed to assess the risk. But, to be honest, not hugely better placed; you're not likely to find out who saw or might have seen the data while it was out of the bank's control. Precisely because it was outside the bank's control, the bank can never be sure that it has found that out.

Is there anything you can do to minimise the risk to you? Yes, there certainly is, and it's entirely within your control. Close your accounts and take your business to another bank.

The main risk when somebody has your name, address, bank details and bank account number is fraud on your bank account. And you can obviate this risk by closing the account and changing banks.

Reati · 10-05-2018 09:08AM

Bubbaclaus wrote: »

These things happen. You've suffered no loss because of it. Move on.

No, that's a cop out. These things don't just happen. These things are allowed to happen.

Proper security and DRM / IRM would have prevented this.

yosser hughes · 10-05-2018 09:15AM

Reati wrote: »

No, that's a cop out. These things don't just happen. These things are allowed to happen.

Proper security and DRM / IRM would have prevented this.

What's a cop out,? The bank have informed the OP and the DPC. How is that copping out?
Well clearly these things do actually happen.
This is human error. It happens.

jimmycrackcorm · 10-05-2018 09:52AM

Reati wrote:

Proper security and DRM / IRM would have prevented this.

How does that block someone printing?

Reati · 10-05-2018 12:31PM

yosser hughes wrote: »

What's a cop out,? The bank have informed the OP and the DPC. How is that copping out?
Well clearly these things do actually happen.
This is human error. It happens.

Relax.

Saying these things happen is a cop out. These things don't just happen. The system allows them to happen.

jimmycrackcorm wrote: »

How does that block someone printing?

IRM allows you to set permissions to help prevent documents from being printed, forwarded, or copied.

tricky D · 10-05-2018 12:57PM

Bubbaclaus wrote: »

These things happen. You've suffered no loss because of it. Move on.

There is breach of confidentiality, loss of secrecy and loss of trust. While less tangible than financial loss they are nevertheless important factors in financial dealings and have been damaged.

Dismissing the incident as you have is not the best way forward in preventing such systemic breaches in the future.

Bubbaclaus · 10-05-2018 01:24PM

tricky D wrote: »

There is breach of confidentiality, loss of secrecy and loss of trust. While less tangible than financial loss they are nevertheless important factors in financial dealings and have been damaged.

Dismissing the incident as you have is not the best way forward in preventing such systemic breaches in the future.

It's been reported to the Data Protection Commissioner. OP seems to be after some additional personal gain from this.

Fred Swanson · 10-05-2018 05:30PM

This post has been deleted.

yosser hughes · 10-05-2018 06:58PM

Fred Swanson wrote: »

This post has been deleted.

What would 'remedy' it? Would cash make it better? Would the OP feel better if someone was sacked?
What do you mean by 'remedy' here? You can't undo the data breach.

Bubbaclaus · 10-05-2018 06:59PM

yosser hughes wrote: »

What would 'remedy' it? Would cash make it better? Would the OP feel better if someone was sacked?
What do you mean by 'remedy' here? You can't undo the data breach.

Compo culture infestation in Ireland.

Fred Swanson · 10-05-2018 07:00PM

This post has been deleted.

Bubbaclaus · 10-05-2018 07:02PM

Fred Swanson wrote: »

The bank can and should be punished. Sh1t happens is not an adequate response.

It has been reported to the DPC and confirmed with the affected party as required. What exactly are you looking for here? All the steps have been followed.

yosser hughes · 10-05-2018 07:12PM

Fred Swanson wrote: »

This post has been deleted.

New GDPR rules will mean banks can be fined. Sh1t does happen and will always happen. That's life.

tricky D · 10-05-2018 07:14PM

yosser hughes wrote: »

What would 'remedy' it? Would cash make it better? Would the OP feel better if someone was sacked?
What do you mean by 'remedy' here? You can't undo the data breach.

Yes, Damages in a civil matter is quite normal compensation for a breach of duty of care even if some dismiss it as compo culture.

As for someone being sacked, reread the OP. Also reporting to the DPC is certainly no magic wand that will fix everything.

yosser hughes · 10-05-2018 07:16PM

tricky D wrote: »

Yes, Damages in a civil matter is quite normal compensation for a breach of duty of care even if some dismiss it as compo culture.

As for someone being sacked, reread the OP. Also reporting to the DPC is certainly no magic wand that will fix everything.

Yes, I read the OP, some staff have left, but sure why not get someone else sacked and a few quid anyway?
I'm glad you clarified, it's about the cash.

tricky D · 10-05-2018 07:34PM

Cash if you want to call it that. You can dismiss it as compo culture but is no where near the same as people claiming silly money for 'suspected' whiplash. The bank have broken the law and the result is loss of trust, confidentiality and secrecy - would you like to deal with a bank that has damaged those? Also an apology would be nice as well as the cash.

Furthermore, the OP is suspicious that the bank are not being straight with him and are not providing a good account of what has happened. Given that and the behaviour of banks over recent times and culture of immunity, I wouldn't hesitate suing them, they do not deserve to be let off the hook given the crap they have pulled. Puzzling that people defend banks like this.

yosser hughes · 10-05-2018 07:43PM

tricky D wrote: »

Cash if you want to call it that. You can dismiss it as compo culture but is no where near the same as people claiming silly money for 'suspected' whiplash. The bank have broken the law and the result is loss of trust, confidentiality and secrecy - would you like to deal with a bank that has damaged those? Also an apology would be nice as well as the cash.

Furthermore, the OP is suspicious that the bank are not being straight with him and are not providing a good account of what has happened. Given that and the behaviour of banks over recent times and culture of immunity, I wouldn't hesitate suing them, they do not deserve to be let off the hook given the crap they have pulled. Puzzling that people defend banks like this.

I'm not defending the banks. I'm merely trying to get to the nub of the issue and we finally have. It's about a claim, cash.
'what about de bankers' is the most overused term in Irish life now. Your point about what people claim for whiplash is funny.
So let's not pretend it's anything other than a compo claim okay?

Chimichangas · 10-05-2018 07:45PM

yosser hughes wrote:

What would 'remedy' it? Would cash make it better? Would the OP feel better if someone was sacked? What do you mean by 'remedy' here? You can't undo the data breach.

Bubbaclaus wrote:

It has been reported to the DPC and confirmed with the affected party as required. What exactly are you looking for here? All the steps have been followed.

I'm glad we seem to agree to move on from the 'sh*t happens..'attitude. ðŸ€¨

But one could hope an investigation might point out what failures in procedures there were, and what improvements might be made to make sure it doesn't effin' happen again...
Just a thought.

yosser hughes · 10-05-2018 07:49PM

Chimichangas wrote: »

I'm glad we seem to agree to move on from the 'sh*t happens..'attitude. &#55356;&#56360;

But one could hope an investigation might point out what failures in procedures there were, and what improvements might be made to make sure it doesn't effin' happen again...
Just a thought.

Yeah, because that's what the OP is really interested in alright:rolleyes:

tricky D · 10-05-2018 08:12PM

yosser hughes wrote: »

So let's not pretend it's anything other than a compo claim okay?

And what is wrong with compensation in this case? Damage has been done, banks are sill not acting in good faith and the DPC is not a magic wand. Not all compensation claims should be dismissed as part of the culture.

The OP has every right to be furious.

tricky D · 10-05-2018 08:17PM

Chimichangas wrote: »

But one could hope an investigation might point out what failures in procedures there were, and what improvements might be made to make sure it doesn't effin' happen again...

That is what should happen, but the banks aren't quite like that as we well know.

Bubbaclaus · 10-05-2018 08:18PM

This thread is gas.

Can someone tell me what damage has been done to the OP to justify compensation? What loss has the OP suffered?

Compo culture gone mad.

hullaballoo · 10-05-2018 08:20PM

Under the GDPR, it is specifically set out that damages can be obtained for a data breach. Previously, there was a question over whether privacy breaches could attract damages, although most reasonable lawyers think that it would as is par for the course where personal rights are adversely affected.

Funnily enough, the damages recoverable in this jurisdiction for data/privacy breaches are likely to be very low when compared to other jurisdictions in the EU that take such things seriously.

That should keep the usual suspects posting about "compo culture" in here happy.

Data Breach at the Bank of Ireland

Comments