ING Bank Unlawfully Transmits Data to Third Party
Who: ING Bank
# of Accounts Breached: Almost 20,000 people
What was affected: IDs and names of 19,055 individuals and credit reports, address information and phone number of 1,172 sole proprietorships and partnership companies
When it happened: March 2, 2019
How it happened: ING Bank stated that during a project carried out by Risk Center of TBB regarding information security, suspicious inquiries rendered by an ING Bank employee were found. This triggered an internal investigation in ING Bank in October 2018, which reportedly included seizing and inspecting the devices of the concerned employee. The preliminary findings of the investigation raised strong suspicions that a data leak has occurred which may also be considered as “the disclosure of client secret” under the Banking Law No. 5411. Although the concerned employee was not authorized to make the concerned inquiries through ING Bank’s system, the employee disabled the authorization system and accessed directly to the TBB’s concerned database. The concerned employee in 2018 run inquiries by using the identity numbers (“ID”) and tax identification numbers (“TIN”) of companies which are generally not a client of ING Bank and have leaked the results of these inquiries outside of the bank through electronic devices several times. ING Bank stated that the information obtained as a result of the inquiries are related only with corporate credit records such as, among others, turnovers, IDs of the shareholders, and shareholding structure, some of which are classified as personal data within the meaning of the data protection rules.
Outcome: ING Bank asserted that as a result of a thorough investigation, which included examining system logs and witness statements, there is no suspicion that any other individual took part in the data leak. The bank further stated that the method used to disable the authorization system is now blocked. The notified breach proves that the information security does not only depend on the strength of the cybersecurity programs but also the internal means that efficiently and effectively authorize the relevant personnel and keep track of work conducted within the scope of such authorization. Companies subject to such data breaches might have further problems such as damage claims of other affected companies, whose customers’ personal data was leaked, or directly of the data subjects.
In accordance with the notification, ING Bank is now working together with TBB to notify the data subjects regarding the concerned leak.