The personal addresses of thousands of Danske Bank customers were leaked last year following a planned system upgrade. During a three-month period, until a fix was implemented when the issue was discovered in October, the personal addresses of customers making payments in Denmark were visible to recipients of domestic payments
The bank said in a statement: “The issue arose from a human error during a planned system update, which affected the system in question and subsequently meant that existing controls did not detect the error at the time.”
The bank was alerted to the error by three customer incidents. On further investigation, it found that 20,600 customers were affected.
“Following initial confirmation of three customers affected by the issue, we conducted further investigations to establish the full scope of the issue,” said the bank. “This work confirmed that a larger group of customers had been affected.”
Danske Bank said that access to the address information would have required the recipient to actively open the relevant payment details. Other payment types, such as MobilePay payments, card payments and invoice payments, were not affected by the issue, according to the bank.
Regulators informed of breach
The bank shared its investigation with the Danish Data Protection Agency and informed the Danish Financial Supervisory Authority of the issue.
In February, the bank removed the address information from transaction details within its systems: “This deletion was implemented and ensures that protected addresses are no longer visible in payment transactions between Danske Bank customers.
“We have also contacted other financial institutions to whom customers have made transactions, to request that protected address information be removed from their systems where possible,” added the bank, saying it has taken steps to reduce the risk of a repeat of the problem in the future and to ensure processes now work correctly.
“Customer trust and security are of the utmost importance to Danske Bank,” it said. “We take the matter very seriously and sincerely apologise for this situation and the impact it may have on our customers. We understand that this situation may cause concern and have provided each affected customer with information about the issue and their rights, and we remain fully available in case of questions or concerns.”
Last month, a Lloyds Banking Group app programming error enabled some customers of the group’s Halifax, Bank of Scotland and Lloyds Bank to see the transactions of other customers. The breach exposed details of more than 114,000 mobile banking customers.
Lloyds Banking Group said it also submitted a formal notification to the Information Commissioner’s Office within 72 hours after the breach, in line with statutory timelines.
While the bank resolved the breach quickly, Meg Hillier, chair of the Treasury Committee, sent an email to Lloyds Banking Group’s group CEO, Charles Nunn, with the subject line: “Improper disclosure of individuals’ account information”. In the email, Hillier described the incident as “an alarming breach of data confidentiality”.
