Central Bank of Ireland Apologizes for Data Breach Impacting Over 20,000 Borrowers
The Central Bank of Ireland has issued an apology after a technical error in its systems resulted in borrower information being stored on its Central Credit Register (CCR) for longer than it should have. This error potentially impacted the credit ratings of over 20,000 individuals. The Central Bank has confirmed that no unauthorized third parties accessed or compromised the borrowers’ data. However, the incident is considered a data breach, and the Central Bank has reported itself to the Data Protection Commissioner.
Borrower information is typically retained on the CCR for a maximum period of five years before being automatically deleted. However, due to a technical error, borrower information from May, June, and July 2018 was not deleted and was subsequently included in credit reports.
The Central Bank has stated that the records of approximately 20,500 borrowers contained performance data indicating repayment difficulties during the months of May, June, or July 2018. This could have potentially impacted their ability to borrow money in recent months. However, the bank has acknowledged that it is unable to determine the extent to which credit applications were adversely affected by this incident. One of the reasons for this uncertainty is the fact that a significant proportion of the 20,500 borrowers continued to experience payment performance difficulties in the months following July 2018.
The Central Bank became aware of the error when a member of the public made an inquiry on August 3, 2023. As a result of the records being retained longer than they should have, they were included in credit reports issued to borrowers and lenders between June 1 and August 7.
During the period from June 1 to August 7, there were approximately 476,000 total inquiries made by lenders or borrowers for information held on the CCR. The Central Bank has confirmed that while the information provided during this period was accurate, the additional three months of information should not have been made available. Therefore, this incident is considered a data breach under data protection legislation.
The Central Bank has expressed its sincere apologies for the error and has taken immediate action to rectify the situation. Remediation efforts began on August 4, and the error was fully resolved by August 7. The CCR is now functioning normally, and credit reports issued since August 7 do not include any additional information. Furthermore, the Central Bank has initiated an investigation to obtain a comprehensive understanding of the issue and intends to conduct a broader review of the relevant processes and procedures of the CCR.
An investigation has been launched to determine whether any borrowers were adversely affected by this incident. The Central Bank has identified that the primary way in which borrowers could have been impacted is if the information contained in these three months influenced lenders’ decisions to extend new credit or borrowers’ decisions to seek new credit.
The CCR serves as a register of all loans exceeding €500 in value and allows lenders to access customers’ credit history through a centralized database when considering whether to grant a loan. Lenders submit payment performance data on borrowers to the CCR every month, providing information on whether payments on credit agreements, such as loans, overdrafts, credit cards, and mortgages, were made or not.
The Central Bank’s prompt response to the error and its commitment to conducting a thorough investigation and review of processes and procedures demonstrates its dedication to ensuring the security and accuracy of borrower information on the CCR. As the investigation progresses, it is hoped that any impacted borrowers will be identified and appropriate measures will be taken to rectify any adverse effects on their credit ratings.