Bulgaria’s commission for personal data protection said on August 28 that it had fined Banka DSK, the country’s second-largest lender by assets, one million leva (about 511 300 euro) for the “illegal disclosure” of the personal data of its customers.
In total, the data of 33 492 customers from 23 270 loan files, which also included personal data of an “unlimited” number of related parties – such as relatives, vendors and loan guarantors – were “accessed by third parties”, the watchdog said, without giving a total number of the people affected.
The fine was imposed after a month-long check, which found that Banka DSK did not implement “appropriate technical and organisational measures and did not ensure the ability to guarantee the constant confidentiality” of its personal data administration systems, the commission said.
The data that was illegally accessed was extensive – names, personal identification numbers (known by their Bulgarian abbreviation EGN), current address, but also the scanned copies of ID cards kept on file by the bank, which include certain biometric data like height and eye colour, as well as full tax and income information, bank account numbers and information about property deeds.
In its statement, the commission gave no further details about the data leak, including how and when it happened, nor did it offer Banka DSK’s customers any advice on what steps they could take to ascertain if they were affected by the breach.
This is the second major personal data breach made public in Bulgaria in just over a month, after the data of millions of taxpayers was stolen from the National Revenue Agency in a cyber attack.
Although this breach affected a smaller number of people, the extent of the data accessed appears to be much greater. After its data leak, the revenue agency said only 189 people had their names, personal identification numbers, address, card number and issuing authority information stolen, which made them more susceptible to “potential fraud.”
Banka DSK was Bulgaria’s second-largest lender at the end of June, according to Bulgarian National Bank data, with assets of 15.4 billion leva. It is a subsidiary of Hungary’s OTP Bank.
Updated: On August 29, Banka DSK said that it accepted the fine levied by the watchdog. It said that it had been contacted by an individual with a prior conviction for bank robbery, who said that they had the data, in June. After an internal investigation, the bank concluded that it was not subject to a cyber attack and reported the leak to the personal data watchdog and law enforcement.
News website Mediapool reported that it had contacted the person claiming to have “found” the data. They said that they told law enforcement how they acquired the data, but gave no further details other than saying that did not commit any criminal actions in acquiring the data. They also admitted to having committed a bank robbery in 1997.
The person also said that Banka DSK had initially wanted to be given the data “unofficially”, but they refused and turned it in to the personal data protection commission instead, the report said.
(Banka DSK logo: dskbank.bg)