Re: It's not surprising.
Lloyds keeps sending stuff to (presumably) the lodgers of the previous owners of my house. After I had delivered a letter by hand to the relevant branch, they sent two Visa debit cards. When I made a formal complaint they said they had done nothing wrong and refused to search for my address and remove it from their database. When I made preliminary enquiries to PRAwhistleblowing@bankofengland.co.uk, email@example.com, firstname.lastname@example.org and email@example.com, they all passed the buck.
Banks could not give a t*ss about their customers' information security.
As for pursuing every complaint as far as the ECJ, when the banks do this to us every day, how can you possibly have the emotional energy, let alone the money, to do such things?