The Data Protection Commission (DPC) has begun an inquiry into a data breach by the Central Bank affecting the Central Credit Register (CCR).
The Central Bank said the error it made, which it first publicly disclosed in August, led to decisions by lenders about applications for personal loans and credit cards by nine potential borrowers being influenced.
In a further 41 cases, lenders have not been able yet to confirm if there was any impact, the Central Bank said.
The CCR is a database that records whether borrowers' have successfully met the terms of credit agreements by repaying on time and in full.
Credit agreements include loans, overdrafts, credit cards and mortgages.
The CCR is consulted by lenders who are deciding whether or not to lend money to people.
It holds repayment records for individuals for five years, after which time the records are supposed to be deleted automatically.
But in August, the Central Bank revealed that an enquiry from a member of the public at the start of August led the bank to discover that CCR data for May, June and July of 2018 had not been deleted due to a technical error, constituting a data breach.
This meant that outdated information for borrowers remained available on the CCR database and would have been included in any credit reports sought by lenders between June 1st and August 7th
This could potentially have influenced outcomes of applications for credit if the data showed they had difficulties in making repayments during the three month period.
Today the Central Bank said it has established that records of 20,872 borrowers who had performance data pointing to repayment difficulties in May, June or July 2018, which were the three additional months that should have been deleted, were accessed by either lenders or borrowers.
These borrowers were associated with 31,013 enquiries by lenders, because borrowers may have made more than one credit application.
In the cases of 30,963 of these credit enquiries, lenders have said their credit decisions were not affected by the excess data, but in nine they were.
"The Central Bank of Ireland sincerely regrets, and apologises for, this error," said Vasileios Madouros, Deputy Governor for Monetary and Financial Stability.
"While we have a range of controls in place in the operation of the CCR, it is clear they were insufficient to prevent this specific incident."
"This falls short of our own standards and we have implemented immediate measures to prevent this error from reoccurring."
The Central Bank said all nine of those borrowers whose credit applications were influenced by the excess data have been contacted and there is a contact point in place at the lenders should they wish to discuss their previous application or re-apply for credit.
The bank said it has also initiated a broader review to strengthen controls in the area.
It said it has engaged with the Data Protection Commission throughout the incident and that it has been notified that the DPC has begun an inquiry into the breach.
