ING Bank and Raifeissen Bank were recently fined by the Personal Data Supervisory Authority for unauthorized access or disclosure of personal data of individual customers, resulting in payments being made by third parties or credit approvals without the request of these customers.
Fine of 20,000 euros for ING Bank: what were the violations
The National Authority for the Supervision of Personal Data (ANSPDCP) announced on Monday that in October 2022 it completed an investigation at the operator of ING Bank NV Amsterdam Sucursala Bucharest and found a violation of the provisions of Art. 32 par. (1) and par. (2) of the General Data Protection Regulation (GDPR).
The applied fine was 98,076 lei (equivalent to 20,000 euros).
The investigation was initiated following the operator’s transmission of a notification of a breach of personal data security in accordance with the General Data Protection Regulation.
- “The notification was based on information according to which the personal data of some of the individuals concerned had been obtained and disclosed without authorization (identification data associated with an identity document; contact data; banking data (transactions and products they own, data , related to the card); User and password of the Internet banking module (Home’Bank), which leads to the implementation of payment transactions by third parties, which affects the personal data of these interested parties.
- During the investigation, it was established that the operator ING Bank NV Amsterdam Sucursala Bucharest did not take adequate technical and organizational measures to ensure a level of security corresponding to the risk posed by the processing created, in particular, by accidental or illegal, unauthorized disclosure and unauthorized access to personal data , which are transferred, stored or otherwise processed. This led to unauthorized disclosure and unauthorized access to personal data of customers of ING Bank NV Amsterdam Bucharest Branch,” the authority said in a statement.
The authorized body recalls that, in addition to ING and Raiffeisen, it recently received several fines for violations of the GDPR, and says that both banks paid fines for the violations.
Three fines in the amount of 28,000 euros for Raiffeisen Bank. reason
In the case of Raiffeisen, the National Supervisory Authority in September 2022 completed an investigation into this bank, where it found numerous violations of the provisions of the General Data Protection Regulation (GDPR).
Two warnings and three fines totaling 138,572 lei (equivalent to 28,000 euros) were applied to the bank, namely:
- 1. A fine in the amount of 98,980.00 RON, which is equivalent to 20,000 EUR for violation of Art. 32 par. (4) in combination with Art. 32 par. (1) and par. (2) with the GDPR;
- 2. Warning for violation of the provisions of Art. 32 par. (1) and Art. 32 par. (2) with the GDPR;
- 3. A fine in the amount of 14,847.00 RON, which is equivalent to 3,000 EUR, for violation of Art. 32 par. (4) in combination with Art. 32 par. (1) and par. (2) with the GDPR;
- 4. A fine in the amount of 24,745.00 RON, which is equivalent to 5,000 EUR, for violation of Art. 25 para. (1) GDPR;
- 5. Warning for violation of the provisions of Art. 32 par. (4) in combination with Art. 32 par. (1) and par. (2) GDPR.
What violations did ANSPDCP find:
According to the body, the investigation was initiated based on the results of the transmission by the operator to Raiffeisen Bank of 17 notifications of violations of the security of personal data in accordance with the provisions of the General Data Protection Regulation.
Thus, during the investigation it was mainly established:
“Inquiries were made by Raiffeisen Bank in the system of records managed by the Credit Bureau SA, respectively, in the system administered by the National Tax Administration (ANAF) and the IT systems of the operator Raiffeisen Bank SA were used to model credit decisions (“prescoring”) for external credit broker.
In two situations, pre-scoring operations were performed for customers or potential customers, but the Credit Bureau System inquiry was made without the documentation associated with the inquiry signed by the respective applicants. It was established that the incidents reported to the National Supervisory Authority involved at least 169 individuals.
The operator of Raiffeisen Bank SA informed the Authority about an incident related to the granting of loans to some clients, individuals, through a person who is an authorized person of the operator. The basis for the notification was information according to which customers were approved for loans for personal needs without their application and without signing the relevant documents.
Thus, it was stated that Raiffeisen Bank SA did not take measures to ensure that any natural person acting under the control of the operator and having access to personal data only processes it at the request of the operator and did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing. This has resulted in unauthorized access and/or unauthorized disclosure of personal data that is transmitted, stored or processed through computer applications that Raiffeisen Bank SA uses in lending activities.
The operator reported a data breach incident where an incorrect email address was entered into the system while updating customer details and a document with multiple details was sent to the address. personal data of another natural person belonging to the client of the bank.
Another incident involved a Raiffeisen Bank SA operator sending confidential data to another person via e-mail.
Another incident report generated at the operator level involved a document called “Personal Data Identification Form” that contained numerous personal details of a bank customer being sent to the wrong email address of another individual.
A similar incident occurred as a result of the fact that two of the operator’s clients filed similar complaints, and when preparing a response letter to the first client’s complaint, the operator added documents with personal data belonging to another client to the letter sent to him. . The reason for the incorrect transmission of documents was the similarity between the typology of the messages and the consistent time of sending the response.
Another data breach incident reported by an operator dealt with a suspected internal credit fraud situation and consisted of:
a) implementation of specific credit operations for a client-individual without the presence of the applicant in the agency’s office.
b) applying for a line of credit using a credit card, completing and signing documentation related to a credit card line of credit, requesting a line of credit for personal needs, completing and signing documentation related to a line of credit for personal needs , updating the data of the interested persons in the application to the bank by replacing the phone number of the interested persons with the phone number of the bank employee and entering a fictitious email address.
A similar incident, which was reported by the operator and investigated by the National Supervisory Authority, consisted in the processing of data by the operator in connection with the provision of three credit lines (Flexicredit, Flexicredit refinancing respectively Shopping Card) on behalf of a natural person. , a client of the bank, but not actually requesting these loans.
Another personal data breach reported by the bank operator was the unauthorized disclosure of some customers’ personal data from their Smart Mobile account (a mobile banking service provided by Raiffeisen Bank) to other customers of the operator.
In the context of the above, during the investigation, it was established that the operator of Raiffeisen Bank SA did not take measures to ensure that any natural person acting under its authority and having access to personal data does not process it, except at the request of the operator.
This resulted in unauthorized access to personal data of Raiffeisen Bank SA customers (e.g. name, surname, home address, citizenship, nationality, personal image, personal digital code, ID card number and series, e-mail, telephone number, data from the system Credit Bureau, data from the records system managed by ANAF, data from the Smart Mobile account) and in case of unauthorized disclosure of this data by the operator.”
Photo credit: Pop Nukoonrat / Dreamstime.co
Mary Robinson is a renowned journalist in the field of Automobile. She currently works as a writer at 247 news reel. With a keen eye for detail and a passion for all things Automotive, Mary’s writing provides readers with in-depth analysis and unique perspectives on the latest developments in the field.