BoI kept quiet about stolen client details since February
Bank also criticised for failing to encrypt sensitive information
Bank of Ireland managers knew in early February that thieves had stolen personal data on 10,000 customers, but decided not to tell the authorities.
And even after the security breach was uncovered internally, the bank took no steps -- until yesterday -- to begin encrypting its laptop computers.
Despite making a profit of €1.7bn last year, Bank of Ireland's failure to spend an estimated €200,000 on encryption technology to protect its customers' data has caused shock.
The technology is used by all of its major banking rivals but Bank of Ireland's lack of investment in such a key area of basic security is a source of deep concern, experts said.
Laptops belonging to four sales staff of the bank's Life division were stolen last year, affecting a total of 10,000 customers at seven branches.
The computers contained their names, addresses, medical histories, bank account numbers, pension details and other sensitive information.
It has emerged that instead of revealing what happened, the bank began an internal investigation and monitored the compromised accounts without telling the customers.
The Irish Independent learned that gardai regarded the thefts as "opportunistic" and sources say a "judgment call" was made that accounts were not being accessed.
But with identity theft rampant and blackmail over medical histories a possibility, experts said the fear of money being withdrawn should have been the least ofthe bank's worries.
The bank claimed it did not want to publicly alert the laptop thieves to the significance of the data. The bank said there was no evidence of fraud so far, but yesterday a clearly embarrassed governor Richard Burrows said he could not guarantee the data would not be used by the thieves.
The Irish Independent learned the thefts -- between June and October 2007 -- were reported to gardai within hours but senior managers at the bank were not told.
However, during an internal audit in the first week of February this year, the laptops were reported missing and an investigation began.
Bank of Ireland Life managing director Brian Forrester claimed procedures had not been adhered to and the thefts were not notified to management. But the disclosure that he and senior colleagues were aware 10 weeks ago will put further pressure on the bank.
It was not until last Thursday the Financial Regulator was told and a day later the Data Protection Commissioner.
Both offices have now begun formal investigations. Yesterday Bank of Ireland opened a helpline for those affected at the branches in Drogheda, Dunleer, Bagnelstown, Court Place Carlow, Stephen's Green, Tallaght and Montrose. It has promised to refund customers if funds go missing.
The helpline dealt with 400 anxious customers and all 10,000 will receive a letter over the coming days. A spokeswoman said the bank was "deeply apologetic" and full encryption of its laptops would be completed within two weeks.
The Data Protection Commissioner wants to know why medical data was being stored at all.
"The investigation will focus on the justification for the personal data, including sensitive medical data in some cases, being placed on the laptops in the first place, the security arrangements in place and the exact circumstances which led to the delay in the reporting of this matter internally."
One senior financial figure said: "We are somewhat surprised that the security protocols [in Bank of Ireland Life] seem to be relatively lax."
A spokesman for Irish Life & Permanent, the country's biggest provider of life assurance, pensions and investment products said: "All information is encrypted by default."
Fine Gael finance spokesman Richard Bruton TD said the bank must explain why it waited for so long to inform the relevant authorities.