Mortgage group apologises for data breach involving over 1,000 customers

A group set up to help homeowners in mortgage difficulties has apologised after the names and bank details of over 1,000 customers were passed to a commercial partner.

New Beginning emailed a database of names to Malta-based fund Arizun/Casa Mundi, with whom it planned to purchase 5,000 non-performing mortgages from the banks for some €720 million.

It is reported the €2 billion overseas investment fund aims to buy up to 15,000 distressed mortages here.

After securing the homes as assets, Arizun would rent them back to families for seven years or longer, after which residents could buy their house back.

An email sent to Arizun by New Beginning on August 25th included a spreadsheet named 'Final Master List 1500 Mortgage Samples'. It included names, addresses, number of children in a household, details of debts and income on AIB, Ulster Bank and Bank of Ireland customers.

New Beginning said the email had been sent in error by a contractor who was no longer working for it.

A €20,000 payment was made to New Beginning the same day the database was sent by email but the mortage group said it was “simply not the case” that the money had changed hands for the names.

It confirmed on Sunday that Arizun had agreed to pay towards the cost of New Beginning employees “to ensure that this engagement did not detract from our other activities”.

Co-founder of New Beginning, senior counsel Ross Maguire, said he wanted to reassure customers that it had never been the intention of the group to transfer details that were personally identifiable.

“We are sorry for this lapse on our part. As well as ensuring that the data was destroyed we hired a consultancy firm to review our data protection measures in general.

“In the next few days we will write to each of the people on our database whose details were passed on in error to apologise for this lapse on our part and to assure them that there details were not used in any way.”

New Beginning said in a statement that it and Arizun had jointly developed a ‘mortgage-to-lease’ proposition which had the potential to prevent thousands of homeowners from losing their home.

“Our idea was and is to allow homeowners whose mortgages are in default and who are at risk of repossession to surrender and then rent back their home.

“If their circumstances improved the homeowner has the right to buy back their property in the first seven years at a 40 per cent discount to any uplift since the agreement was entered into.”

It said there were currently 20,000 families in Ireland with mortgages in arrears that cannot be restructured, and where the family is facing repossession.

It had developed with Arizun a “highly innovative, fair and balanced product that would see families remain in their home permanently while also giving them the space to reclaim their own financial solvency, with the option to re-buy their home in time”.

“In developing the programme we analysed a sample of cases from New Beginning’s database to see if a move from a mortgage repayment to rent would benefit clients.

No personal details were required and it was agreed at the outset only general information could be shared with Arizun/Casa Mundi with all names, details and identifying information withheld.”

The data was sent to Arizun Casa Mundi in two tranches.

“In one of these two tranches a New Beginning contractor mistakenly included identifying information, including names and address,” the organisation said.

“The consultant, who was on a short-term contract, is no longer with New Beginning. Once the error was noticed we contacted Arizun/Casa Mundi which agreed to delete the information sent in error.”

Mr Maguire said he wanted to reiterate “in the strongest terms” that it was never the organisation’s intention, nor it’s partner’s intention, that any information would be transferred which would identify customers.

On the €20,000 paid to New Beginning by Arizun the same day the customer data was transferred, Mr Maguire said the partner company had agreed to “make a contribution to the ongoing operations” of the mortgage group.

“Our partner is a commercial arrangement, we are a not-for-profit,” he said.

It was “simply not the case” that the money changed hands for the names.

Asked on RTÉ's This Week programme why New Beginning had not reported the breach to the Data Protection Commissioner at an earlier stage, Mr Maguire said there was no legal requirement for him to do that.

“I accept that I should have done so and I apologise for not having done so.”

He said the organisation would co-operate with the Data Protection Commissioner and would also write to the affected customers early next week.

Mr Maguire hoped the issue would not damage the ability of New Beginning to do its work.

A spokeswoman for the Data Protection Commissioner confirmed it received a notification of a data breach under the office’s personal data security breach code of practice on Friday was currently investigating it.

The issue was reported to the commissioner after New Beginning was contacted by the Irish Mail on Sunday, which published an investigation into the issue.