The DPC probes Central Bank of Ireland’s CCR breach

13 Oct 2023

The Central Bank of Ireland headquarters in North Wall Quay, Dublin. Image: William Murphy/Flickr (CC BY-SA 2.0)

The Central Bank said three months of extra data on more than 20,000 borrowers was accessed as a result of an archiving error, which may have impacted loan decisions.

The Data Protection Commission (DPC) has begun an inquiry into a Central Bank of Ireland data breach that impacted its Central Credit Register (CCR).

The Central Bank said today (13 October) that it was informed by the DPC about the investigation and that it will engage with the regulator on the CCR breach. This register is operated by the Central Bank and is a database that stores the personal and credit information on loans of €500 or more.

The inquiry relates to an incident that the Central Bank disclosed in August, in which an “archiving error” led to certain borrower information being retained on the CCR for three months longer than it should have. This data was also included in credit reports when it should not have been.

As well as holding personal information for longer than permitted under GDPR, the Central Bank said some borrowers could have been impacted where the data included “loan performance” – or whether loan payments were being met.

The Central Bank said the additional three months of information being included in the CCR may have affected decisions by lenders to extend new credit or decisions by borrowers to seek new credit.

In total, the records of 20,872 borrowers with data pointing to repayment difficulties were accessed by either lenders or borrowers as a result of this error. These repayment difficulties were in May, June or July of 2018, the months of data that should have been deleted by the time of the incident.

“Assessing the impact of this error has been a complex process,” the Central Bank said in a statement. “The CCR does not decide if a loan is approved or not, lenders make that decision.”

The bank said it had “extensive engagement” with 270 lenders to determine if the additional credit information influenced their credit decisions. The organisation also said it is initiating its own review of the data controls in place around the CCR.

Vasileios Madouros, the Central Bank’s deputy governor for monetary and financial stability, said the bank “sincerely regrets” and apologises for the error.

“This falls short of our own standards and we have implemented immediate measures to prevent this error from reoccurring,” Madouros  said. “We are also commissioning a broader external review of data management and data protection controls in place when operating the CCR.

“The CCR is an essential service to enable better credit decisions by borrowers and lenders, and it is crucial that we hold ourselves to the highest standards in operating it.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

The Central Bank of Ireland headquarters in North Wall Quay, Dublin. Image: William Murphy via Flickr (CC BY-SA 2.0)

Leigh Mc Gowran is a journalist with Silicon Republic