More than 15,000 people may be due substantial compensation after the State’s biggest financial credit rating body admitted mixing up sensitive credit scores during a data breach.
The Irish Credit Bureau, a crucial supply of financial data to 300 banks and lenders for applications on mortgages, car finance and other loans, reported the breach to the Irish Data Protection Commissioner, Helen Dixon, in July last year.
“The data integrity issue allowed incorrect updates to be applied to the loan account records of financial institutes’ customers,” according to the privacy regulator.
The issue affected the credit ratings of 15,238 individuals, it admitted.
The DPC was informed of the breach in August 2018. However, it did not begin its probe until July of the following year.
An incorrect credit rating can mean people being wrongly turned down for a mortgage, loan or overdraft. Such credit information is held for five years by the Irish Credit Bureau.
Banks that get a customer’s credit score wrong can face significant penalties. Last year, the Financial Services and Pensions Ombudsman awarded €15,000 to an individual when a lender failed to update that person’s Irish Credit Bureau rating to show that a debt had been cleared.
He also awarded €15,000 compensation to a company when a bank wrongly threatened to close a
bank account due to an incorrect debt rating. If even a small portion of the 15,238 affected by the credit mistake suffered similar financial misjudgment, Irish lenders could be liable for millions in compensation.
"Each time you apply for credit from one of these lenders, the lender accesses your credit report to find out about your performance under previous credit agreements with other lenders," according to the Irish Credit Bureau's documentation.
"All loans are registered with the ICB, including instances where you may have missed payments in the past."
A spokesman for the Irish Credit Bureau was unavailable to comment. It is not known whether the 15,238 individuals whose credit reports were mixed up have been contacted or whether the systemic error has been completely rectified.
However, the Data Protection Commissioner said 118 people requested their credit report directly from the Irish Credit Bureau "while the data was incorrect".
A draft report on the breach is due to be submitted by the privacy watchdog to the Irish Credit Bureau in the coming months. In the US, more than 100 million consumers are still reeling from a data breach that hit one of the country's main credit score bodies, Equifax.
In 2012, AIB admitted sending incorrect information about 12,000 customers to the Irish Credit Bureau over a six-year period.
The Irish Credit Bureau says it holds an "electronic library" or database that contains information on the performance of credit agreements between financial institutions including banks and building societies, and borrowers.
A credit agreement, it says, can include a mortgage, car loan, personal loan, leasing agreement or hire purchase agreement. Credit card details are also included in the ICB library.
More than 300 lending institutions register information with the ICB on a monthly basis. "Typically, the citizen's payment profile history is reported over a 24-month repayment period," it says.
The Irish Credit Bureau is financed by Irish financial institutions.
The breach was outlined in the latest annual report of the Irish Data Protection Commissioner.
The regulator also revealed it has recently initiated an inquiry into 22 breach notifications from Bank of Ireland, in which the bank "was sending inaccurate data to the Central Credit Register, with a corresponding risk that the credit rating of certain bank customers had inaccurate information recorded".
The Central Credit Register is a separate credit rating body set up by the Central Bank.
The inquiry began in November 2019 and is rated as "ongoing" by the Data Protection Commissioner.
The DPC report detailed the office's activities over the last year and revealed the number of data breaches in Ireland.
In 2019, Helen Dixon's office received 6,247 data breach notifications, a 71pc increase on the year before.
Separately, there were 7,215 complaints logged with the privacy watchdog, up from just over 4,000 in 2018.