The Central Bank has admitted to a data breach in its credit register, which may have made it harder for thousands of borrowers to successfully access credit.
However, the error did not lead to the borrowers' data being compromised or accessed by unauthorised third parties.
The embarrassing breach relates to the Irish Central Credit Register (CCR) – a database that records whether borrowers’ have successfully met the terms of credit agreements by repaying on time and in full.
Credit agreements include loans, overdrafts, credit cards and mortgages.
The CCR is consulted by lenders who are deciding whether or not to lend money to people.
The CCR holds repayment records for individuals for five years, after which time the records are supposed to be deleted automatically.
However, following an enquiry from a member of the public at the start of August, the bank discovered that CCR data for May, June and July of 2018 had not been deleted due to a technical error.
This meant that outdated information for borrowers remained available on the CCR database and would have been included in any credit reports sought by lenders between June 1st and August 7th.
"While this information was accurate, the additional three months of information should not have been made available, and constitutes a data breach under data protection legislation," the Central Bank said in a statement.
"The Central Bank sincerely apologises for this error and can confirm that immediate action was taken to fix it."
"Remediation began on 4 August and the error was fully resolved on 7 August 2023, with the database reflecting the correct five-year retention period."
But the error means that credit reports that were sought by lenders during the period were outdated and may have had an adverse impact on the borrowers’ credit applications.
The Central Bank said it is working to establish to what extent, if any, the issue may have been a factor in credit being denied.
"The Central Bank’s investigation so far has determined that, of the approximately 476,000 total enquiries made by lenders or borrowers for information held on the CCR over the period between 1 June and 7 August 2023, the records of around 20,500 borrowers contained performance data pointing to repayment difficulties in May, June or July 2018," it said.
"It is important to note that the information held on the CCR is one of many factors that lenders use to determine whether a loan is approved or not."
"In addition, the fact that lenders made a request for information on the CCR does not mean that those specific pieces of information were used by lenders in their credit decisions."
The regulator added that so far, its probe has found that a large proportion of the 20,500 borrowers continued to have difficulties in servicing their credit agreements over the following three months.
"At this stage, therefore, the Central Bank is not in a position to determine with accuracy the extent to which credit applications were adversely affected by this incident," it said.
The bank said its probe continues and it is liaising with lenders to gauge the impact on potential borrowers.
It has also notified the Data Protection Commission, as it is obliged to do by law.
"Once we have a clearer view of the nature and extent of impacts on borrowers, the Central Bank will seek to communicate directly with those most likely to have been affected," it said.
