NCBA Fined Sh 250,000 by ODPC for Mishandling Customer Email and Data Breach
Banks

NCBA Fined Sh 250,000 by ODPC for Mishandling Customer Email and Data Breach

Wachira Jefferson
Read Time:1 Minute, 47 Second

Kenya’s Office of the Data Protection Commissioner (ODPC) has imposed a fine of Sh 250,000 on NCBA Bank over a data privacy breach involving the mishandling of a customer’s email address, which resulted in repeated disclosure of confidential business information to an unintended recipient.

The penalty follows a complaint lodged on October 22, 2024, by a business owner whose efforts to have NCBA update his correct email address were repeatedly ignored. The dispute traces back to May 29, 2019, when the complainant opened a business account under the name Versilia Enterprises at NCBA’s Lavington Branch.

During the process, two different email addresses were inadvertently provided, only one of which was valid and regularly used by the complainant.

Despite numerous requests and reassurances from NCBA agents that the correction had been made, the bank continued to send sensitive transaction details to the incorrect email address, which belonged to an unrelated third party.

Read: How Banks in Kenya Are Losing Millions to Insider Fraud Schemes

In June 2023, the issue escalated when the complainant initiated a transaction involving a Japanese company at NCBA’s Westlands Branch. The bank, however, emailed the details of the transaction to the wrong recipient.

This prompted the third-party recipient, who had no affiliation with the complainant or NCBA, to contact the bank, questioning why she was receiving confidential business emails.

The complainant followed up in person at the Westlands Branch in July 2023, once again requesting the email address be corrected. Although NCBA agents confirmed the update had been implemented, the complainant discovered in February 2024 that his business emails were still being sent to the incorrect address.

The ODPC found NCBA guilty of failing to rectify the complainant’s personal data despite having adequate time and opportunity to do so.

The regulator noted that this negligence amounted to a violation of the Data Protection Act, citing the bank’s continued sharing of personal and business information with an unintended third party as a serious breach of privacy.

Jefferson Wachira is a writer at Africa Digest News, specializing in banking and finance trends, and their impact on African economies.

About Post Author

Wachira Jefferson

http://digitalbankingnews.co.ke
Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %
1 0

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%
(Add your review)

Leave a Reply

Your email address will not be published. Required fields are marked *

Why the Central Bank Isn’t Worried About Trump’s Tariff Hit on Kenya Previous post Why CBK Isn’t Worried About Trump’s Tariff Hit on Kenya
Absa Bank Launches Absa Mzawa Account for Tanzanians Living in the Diaspora Next post Absa Bank Launches Absa Mzawa Account for Tanzanians Living in the Diaspora

More Stories

Recent Post

Top Category

Banks

Featured

Analysis

Experts