Security fears have been raised after the Central Bank mistakenly gave out the names and home addresses of credit union bosses.
The data breach has forced the bank to issue a grovelling apology after it blundered by releasing the personal information to a third party.
Names and addresses of around 50 credit union chairpersons and chief executives, many of whom hold keys to credit union premises, were given out in error.
It comes after a number of robberies of credit unions, most notoriously at Lordship in Co Louth, which resulted in the murder of Det Garda Adrian Donohoe.
The breach has also raised fears of tiger kidnaps, where the family of key personnel are kidnapped to force them to provide entry to a bank or credit union safe.
The embarrassing breach has forced the Central Bank, which is the financial regulator, to report itself to the Data Protection Commissioner.
This raises the prospect of one regulator being forced to fine another.
Entities can be fined up to 10pc of their turnover for data breaches. As the Central Bank’s turnover is more than €1bn, it could face a multi-million euro fine from Data Commissioner Helen Dixon.
A letter sent to a number of senior credit union people, seen by the Irish Independent, admits to a serious data breach by the Central Bank.
“I wish to advise you of a data breach in respect of your personal data in connection with the Beneficial Ownership Register.”
The letter states the name, date of birth and “the initial four lines of your address” were provided to individuals who should not have been given this information.
“This was a result of human error,” the letter states.
This register holds the statutory records of the owners or controllers of corporate and legal entities, including details of the beneficial interests held by them.
Even though credit unions are owned by their members, the chairs and chief executives are listed in the Central Bank’s register as being the beneficial owners.
The breach resulted from requests from third parties for information on the register.
Under the law, limited or “restricted” information about a financial entity and the names of those who own it or control it can be given out.
However, the Central Bank mistakenly included too much personal information in replies to requests for details on credit unions.
The bank has been accused of being slow to inform the people involved about its blunder, despite being statutorily required to report data breaches “without undue delay”.
The breach happened in April but it was June before it informed those affected.
Credit unions have now questioned moves by the Central Bank to widen the scope of the register by including the Personal Public Service (PPS) numbers of credit union bosses.
“This is a step too far because they can’t mind the data they have, never mind adding to it,” one person in the credit union movement said.
A spokesperson for the Data Protection Commission said it was engaging with the Central Bank on the issue.
The Central Bank said an individual, for business reasons, made a number of requests for beneficial ownership information for credit unions.
“Due to an error, additional information was provided in some request responses. The individual made the Central Bank aware of the error and, following a request from the Central Bank, confirmed that they had not shared the information and had deleted it.”
It said it commenced an immediate investigation and reported the matter to the Data Protection Commission.
“The Central Bank identified and contacted impacted data subjects as soon as possible, where it was possible to do so.” It added it has reviewed its data procedures.