Bank of Ireland fined for cyber security failings
Ireland’s Central Bank has imposed a €1.66m fine on Bank of Ireland (BoI) for a regulatory breach that saw one of its subsidiaries transfer more than €100,000 to a hacker that had illegally accessed a client’s email account.
Furthermore, the Central Bank also stated that BoI took more than a year to alert the police following the breach and misled the regulator during the subsequent investigation.
The breach, which took place six years ago, involved the bank’s private banking subsidiary, Bank of Ireland Private Banking (BoIPB). After a fraudster hacked a client’s account, the bank released confidental account details without asking any security questions or calling the client to verify the transaction.
When the client informed the bank a month later of the fraud, the bank ensured an immediate reimbursement. However, the incident was not reported to the police or to the regulator which only spotted it in an operational incident log among its routine regualtory filings a year later.
Furthemore, the Central Bank criticised the bank’s level of cooperation during the investigation which it said was “well below what is expected” while the information it did provide was effectively misleading.
“BoIPB failed to provide complete and timely information and documentation in response to the Central Bank’s investigation letter and statutory request,” stated the regulator. “It also provided information to the Central Bank that was imprecise and vague. The cumulative effect was that the Central Bank’s investigation was frustrated and prolonged.”
The Central Bank’s director of enforcement and anti-money laundering also criticised the bank for both its failure to put safeguards in place and in its failure to immediately report the incident to the relevant authorities. “Reporting illegal activity is essential in the fight against financial crime,” she said.
“The Central Bank expects proactive engagement from regulated entities. That extends from self-reporting through remediation and full co-operation with the investigation,” added Cunningham.
Bank of Ireland issued a statement following the announcement of the fine stating that it regrets its part in the investigation adding that its controls have since been strengthened.
“All relevant information should have been disclosed to the Central Bank of Ireland from the outset, and the matter should have been reported to all relevant authorities,” it said.
“The bank has learnt lessons from this incident and has taken a range of actions arising from the issue. Policies, processes and controls have been strengthened to ensure customers are protected.”