Cyber Incident Victim: Bank of Ireland

In September 2014, a fraudster impersonated a client of Bank of Ireland Private Banking Limited (BOIPB), a subsidiary of Bank of Ireland, and successfully tricked the institution into transferring €106,430. The attacker compromised the victim’s email account to submit fraudulent transfer requests targeting the client’s personal current account and BOIPB’s own funds, directing the money to a UK bank account. Bank of Ireland processed these transfers without requiring the fraudster to answer security questions or verify the request through the client’s registered contact telephone number. The bank reimbursed the affected client immediately but failed to notify the Central Bank of Ireland or An Garda Síochána (Irish police) about the incident. This omission persisted for over a year until the Central Bank discovered a reference to the fraud during a routine review of BOIPB’s logs, prompting a formal investigation and a directive to report the crime to law enforcement.

The Central Bank’s investigation revealed systemic failures in BOIPB’s fraud controls and governance. Deficiencies included inadequate systems to minimize fraud risk, insufficient oversight of internal controls, lack of staff training emphasizing client instructions over security protocols, and absent compliance monitoring. BOIPB also withheld an internal post-incident report from regulators for 19 months, which detailed these systemic weaknesses and misled investigators. Corrective actions to address third-party payment vulnerabilities were implemented only after a 17-month delay and direct intervention by the Central Bank. The regulator imposed a €1.66 million fine, citing BOIPB’s failure to safeguard against cyber-fraud, its lack of transparency, and the unreported illegal activity, which hindered broader efforts to combat financial crime. The incident exposed operational vulnerabilities and cultural shortcomings in prioritizing regulatory compliance over client service efficiency.