Outcomes - Selected Case Summaries



Bank inadvertently sends existing clients’ data to new applicants

Informal Resolution | 21 February 2022

A bank suffered a personal data breach when a completed personal lending application was inadvertently emailed to two external parties. The Private Banking Team meant to send a blank personal lending application to two external parties but did not realize that the fillable pdf form still contained details of another client. The breach was discovered and reported by one of the prospective clients.

The bank took appropriate action to contain the breach and mitigate possible adverse consequences by reaching out to the unintended recipients, receiving confirmation that the email and attachments were deleted without further disclosure. The bank also created a separate shared folder to house copies of their blank templates, and put links to all blank forms available on their websites, for use by prospective or existing clients. We considered these measures appropriate, and confirmed that all requirements relating to the breach notification had been met, with no further action required.