About 110 Bank of Ireland staff were affected by a data breach earlier this year where their pay and benefits were mistakenly circulated internally, The Irish Times has learned.
A spokesman for the bank confirmed the breach, stemming from the human resources department, where “information relating to some staff was inadvertently emailed to a small number of senior managers last April.”
The bank took steps to “ensure that there was no misuse of the information and the incident was reported to the Data Protection Commissioner”, he said.
Sources said that the salaries, pension and other benefits of 70 private banking staff and 40 employees in insurance and investments were accidentally sent by a human resources official to about 20 managers in the organisation. They were asked to send the email and attached document further.
The sender had intended to attach a list containing education awards relating to Institute of Banking exams. While the bank official subsequently managed to recall the message from a number of recipients, others had opened and forwarded it on.
The email was sent at a time when the bank was in the middle of formulating a plan to fold the private banking subsidiary, which was set up more than four decades ago, into the broader Bank of Ireland group. The merger took effect during the summer, following clearance from the High Court.
The aim of the combination was to “rationalise and simplify the group organisational structure” by having Bank of Ireland Private Banking operate as a client segment within the retail division of the group, rather than as a stand-alone legal entity, the bank said in documents opened in court in June.
Word of mouth
It is understood that 12 people opened the contents of the email, but were asked by management to delete the message. However, some details from the document spread by word of mouth in the bank, according to sources.
While the bank informed the Office of the Data Protection Commissioner immediately after the error was discovered, it decided not to inform the individuals whose information was circulated. It is believed that this decision was made on the basis that the bank had managed to contain the breach and that the document did not contain bank account details or information that could lead to a financial loss.
“The Data Protection Commissioner received a breach notification, in relation to the matter referred to, by Bank of Ireland on April 28th, 2017, under our Personal Data Security Breach Code of Practice,” a spokesman for the commissioner said.
“Bank of Ireland confirmed to this Office that the information concerned was sent internally to a limited number of staff members, with no potential risk of misuse of the information disclosed. Based on the information received from BOI, our investigation was closed.”
News of the data breach comes as the bank’s new chief executive, Francesca McDonagh, who joined the group at the start of October, has had to come to grips with the bank’s exposure to an industry-wide tracker mortgage scandal and a sweeping €900 million technology project, while launching an agenda in recent weeks to overhaul the lender’s culture.
Bank of Ireland moved two weeks ago to set aside up to a further €175 million of provisions to cover customer refunds, compensation and other costs relating to the overcharging of customers going back almost a decade. The amount is in addition to €25 million ring-fenced for the issue last year.
The increase came as the bank established that an additional 6,000 customers had either been wrongly denied a low-cost mortgage linked to the European Central Bank benchmark rate, or put on the wrong rate. The bank had previously outlined that 4,300 customers had been affected, including 600 who would have been entitled to a tracker rate.