HomeCompany NewsCredit ratings of over 15,000 people affected by data breach

Credit ratings of over 15,000 people affected by data breach

  • Posted

On 20th of February 2020 the Irish Data Protection Commission (DPC) published its annual report for 2019.

The report mentions several ongoing national inquiries involving organisations like An Garda Síochána, the HSE and Tusla. One ongoing inquiry of significance relates to the Irish Credit Bureau.

The Irish Credit Bureau is a database that contains information on the performance of credit agreements between financial institutions and borrowers. Over 300 lending institutions register information with the Irish Credit Bureau, usually on a monthly basis. Each time a borrower applies for credit from one of these lenders, the lender accesses the borrower’s credit report to find out about their performance under previous credit agreements with other lenders. All loans are registered with the Irish Credit Bureau, including instances where borrowers may have missed payments in the past.

The Data Protection Commission inquiry into the Irish Credit Bureau relates to a breach notification that the DPC received directly from the Irish Credit Bureau in relation to a data integrity issue. Apparently, a change to the Irish Credit Bureau system inadvertently allowed incorrect updates to be applied to the loan account records of a large number of borrowers.

The issue impacted on the credit ratings of 15,238 individuals. 118 individuals had requested their credit report directly from the ICB while the data was incorrect.

It is not clear from the DPC report whether the credit ratings of the borrowers were impacted positively or negatively, and it remains to be seen how many borrowers may have been denied loans during the period where their credit rating was incorrect.

Under Article 82 of the General Data Protection Regulation (GDPR,) if an individual has suffered material or non-material damage as the result of a data privacy breach, then they have the right to seek compensation. The individual has the right to bring a claim to court. Irish data protection actions can now include claims for compensation for stress and emotional suffering, whereas prior to the GDPR, only compensation for financial and other material loss could be recovered.

About the author: Ciarán Leavy, Partner, specialising in data protection claims.