PTSB Fined €277,500 by DPC for 2022 Data Breaches Affecting Three Customers
The DPC fined PTSB €277,500 for three GDPR breaches in 2022, where malicious actors accessed customer accounts via the Open24 Contact Centre. PTSB failed to follow security protocols and notify the DPC promptly. The bank apologized, reimbursed affected customers, and improved security measures.
The Data Protection Commission (DPC) has fined PTSB a total of €277,500 for personal data breaches first reported in May 2022. The breaches occurred when malicious actors, possessing some customer information, impersonated customers via PTSB's Open24 Contact Centre to access and amend account details.
The DPC stated that appropriate security protocols were not followed in all three incidents, allowing actors to change account details and obtain additional information. This exposed account holders to increased fraud risk, forcing them to close accounts and, in some cases, suffer financial loss.
Following an inquiry, the DPC identified three breaches of the General Data Protection Regulation (GDPR): failing to ensure appropriate security of personal data, failing to implement adequate technical and organizational security measures for its Open24 Contact Centre, and failing to notify the DPC within 72 hours of becoming aware of the breaches.
PTSB acknowledged the DPC's findings, apologizing to the three affected customers from 2022. The bank stated it fully reimbursed impacted customers for fraudulent losses and has since improved its processes and invested in fraud prevention to reduce reoccurrence risk.