[BreachExchange] AIB employee loses banking details of 500 customers

[Destry Winant]

https://www.irishtimes.com/news/ireland/irish-news/aib-employee-loses-banking-details-of-500-customers-1.3218170


AIB has confirmed a member of staff misplaced sensitive personal data
relating to hundreds of its customers.

The material was lost in the west of Ireland and is understood to
relate to about 550 people, mainly in the Galway area.

The bank would not comment on the nature of the material other than to
say it was confidential and did not included addresses or contact
information.

However, names and details relating to loan and deposit balances,
account turnover and annual fees are understood to be included.

The Office of the Data Protection Commissioner has been notified in
keeping with standard procedures. It did not immediately respond to
requests for comment.

“Some confidential information relating to the banking facilities of a
number of customers was mislaid on Thursday 31st August in Galway,”
the bank said in a statement.

“AIB has contacted all impacted customers to explain the matter and to
apologise unreservedly.

“AIB takes its data protection obligations very seriously and has
reported this incident to the Office of the Data Protection
Commissioner.”

It is understood that letters issued to customers explained a member
of staff had been travelling between branches in Galway when the
material was lost.

The bank has said that although it is a serious incident, customer
accounts cannot be accessed by a third party as a consequence.

‘Important questions’

Simon McGarr, director of Data Compliance Europe, an organisation
working in the area of European privacy law, said the lost material
raised important questions.

“We literally don’t know where it went but it is very significant
personal information to have mislaid and begs the question what allows
this information to be printed out of a secure system [and taken
away],” he said. “No amount of computer security in the world is going
to save you.”

An AIB spokesman said the bank’s preference was to transfer classified
information electronically. “However, when data is transferred
manually, protection of customer data is paramount in our
consideration,” he said.

Mr McGarr said European data protection laws to be introduced next May
would be relevant to such incidents.

“It provides for people who have suffered data breaches to be
compensated for that breach whether or not they suffer financial
loss,” he said.

“It also allows people who have suffered data loss to pool their
claims in a class action. The Government is currently proposing to
limit these powers in their Data Protection Bill currently before the
Oireachtas.

“Today’s breach demonstrates how important it is to have the strongest
possible protections and remedies for individuals’ personal data.”