DUBLIN, Ireland - At a time when banks and financial institutions are grappling with cybersecurity issues, AIB has suffered a massive data breach - but this time, the breach occurred in an old-fashioned way.
According to reports, AIB is said to have sent a letter to about 500 of its customers, informing them that their personal data had been breached.
A report in RTE said that in a letter, AIB informed those affected that an employee had lost a stack of records containing their names; loan and deposit balances; and their account turnover and annual fees.
AIB said that the breach occurred at the end of the month of August and that the employee “mislaid” the documents as they were travelling between two of its branches in Galway.
The files were being transported to be used for a review of branch portfolios.
In the letter, AIB reportedly admitted said, "I want to notify you that a spreadsheet containing confidential information relating to your banking facilities with us was mislaid on Thursday 31 of August. The information included in this documentation was your name, loan and deposit balances, account turnover and annual feeds, plus a number of internal bank related codes. This happened while a staff member was travelling between two branches for a scheduled internal meeting that was being held to carry out a general review of branch portfolios. We have taken and continue to take every possible action to locate the mislaid date but to date it has not been retrieved."
Later, AIB issued a statement to RTÉ, in which it said that it had gone above and beyond to try to locate the files, but has obviously come up short, and confirmed that the matter had been forwarded to the Office of the Data Protection Commissioner.
It said, “AIB has contacted all impacted customers to explain the matter and to apologise unreservedly. AIB takes its Data Protection obligations very seriously and has reported this incident to the Office of the Data Protection Commissioner."
It tried to allay the fears of those affected and said that the files would not allow someone to access their accounts, given the information provided, which contained no addresses or contact details.