OTP's Bulgarian unit fined for data breach affecting over 33,000 clients

SOFIA (Reuters) - Bulgaria’s DSK Bank, a unit of Hungary’s OTP Group, has been fined 1 million levs ($569,930) for a data breach that afffected over 33,000 clients, the country’s Commission for Personal Data Protection said on Wednesday.

The personal data watchdog said the full names, addresses, copies of ID cards as well as bank account numbers and property deed data of 33,492 people who have taken loans from the bank had been improperly disclosed and accessed by third parties.

Personal data of loan guarantors, spouses and contracting parties that were part of over 23,000 loan dossiers had also been breached.

The Commission launched a probe into the leak after DSK said in June it had been approached by a Bulgarian former convict who claimed to have a database with personal details of its clients.

DSK said at the time it had carried out internal checks that showed the bank’s systems had not been hacked, suggesting any leak of data would have occurred through other illegal means.

“DSK Bank was fined by the Commission for Personal Data Protection over a non-digital data theft carried against it,” the bank said in a statement. “DSK Bank accepts the fine and cooperates with the authorities to further improve its personal data protection measures.”

The Commission said it fined the bank for failing to introduce proper technical and organizational measures to guarantee the confidentiality of clients’ personal data at all times.

Reporting by Tsvetelia Tsolova, editing by Deepa Babington