The Central Bank of Ireland is today issuing a public statement having recently identified an archiving error that affected the retention period of certain borrower information held on the Central Credit Register. As a consequence of this error, certain borrower information was retained on the Central Credit Register for up to an additional three months, and included in credit reports, when it should not have been retained or included. This error constitutes a data breach under data protection legislation. We wish to state clearly that borrowers’ data has not been compromised or accessed by any unauthorised third parties as a consequence of this error.
The Central Bank of Ireland is responsible for the operation of the Irish Central Credit Register (CCR) under the Credit Reporting Act 2013. The CCR is a database that stores personal and credit information on loans of €500 or more. The Central Bank has contracted with CRIF Ireland Ltd to operate the Central Credit Register on its behalf.
Each month, lenders submit payment performance data on borrowers to the CCR, which includes information on whether payments on credit agreements, such as loans, overdrafts, credit cards and mortgages, were made or not. This information is intended to be retained on the CCR for a maximum period of five years, after which an automated process is run to delete data older than five years.
Following an enquiry by a member of the public on 3 August 2023, the Central Bank became aware that historical payment performance data for the months of May, June and July 2018 had not been deleted as scheduled. This was due to a technical error that affected the automated deletion process of historical records in the CCR.
As a result of this error, additional, outdated information relating to these three months was available on the CCR database for inclusion in credit reports issued to borrowers and lenders in the period 1 June to 7 August 2023. While this information was accurate, the additional three months of information should not have been made available, and constitutes a data breach under data protection legislation.
The Central Bank sincerely apologises for this error and can confirm that immediate action was taken to fix it. Remediation began on 4 August and the error was fully resolved on 7 August 2023, with the database reflecting the correct five-year retention period. The CCR is now functioning normally and credit reports being provided since this date do not reflect any additional information. We have also commenced an investigation to establish a full account of the issue and intend to conduct a wider review of the CCR’s relevant processes and procedures.
A key focus of our ongoing investigation is to establish whether any borrowers were impacted by this incident. The main mechanism through which borrowers could be impacted is where the CCR contained information around loan performance over the months of May, June and July 2018, which may have adversely affected decisions by lenders to extend new credit or decisions by borrowers to seek new credit. This could be the case where (i) the records pointed to repayment difficulties during the additional, outdated, three months; and (ii) lenders or borrowers had sought to access those records over the period between 1 June and 7 August 2023.
The Central Bank’s investigation so far has determined that, of the approximately 476,000 total enquiries made by lenders or borrowers for information held on the CCR over the period between 1 June and 7 August 2023, the records of around 20,500 borrowers contained performance data pointing to repayment difficulties in May, June or July 2018.
It is important to note that the information held on the CCR is one of many factors that lenders use to determine whether a loan is approved or not. In addition, the fact that lenders made a request for information on the CCR does not mean that those specific pieces of information were used by lenders in their credit decisions. For example, the Central Bank’s analysis so far has determined that the records of a significant proportion of the 20,500 borrowers continued to point to performance difficulties in the months following May, June and July 2018. At this stage, therefore, the Central Bank is not in a position to determine with accuracy the extent to which credit applications were adversely affected by this incident.
Our investigation into any potential impact on these borrowers is ongoing. We are engaging with lenders to advise them of the incident and to establish if the additional three months of historical credit information affected their lending decisions in any way. This will allow us to assess whether the incident has had any impact on prospective borrowers in the period, 1 June and 7 August 2023. Once we have a clearer view of the nature and extent of impacts on borrowers, the Central Bank will seek to communicate directly with those most likely to have been affected.
Borrowers can request a copy of their credit report, free of charge, on the CCR website. Borrowers with loan performance issues in the impacted three-month period in 2018, and who had made a credit application over the period of 1 June to 7 August 2023 may also wish to engage with the relevant lender.
In line with our obligations under data protection legislation, the Central Bank of Ireland has notified the Data Protection Commission (DPC) of this matter. Our engagement with the DPC is continuing.