Eircom has today reported a potential data breach for customers following the theft of three laptops.
Two of the computers were stolen from eircom's offices at Parkwest in Dublin between December 28, 2011 to January 2, 2012, and the third was taken from the home of an employee on December 19. The data on all of the laptops was not encrypted.
The company says the theft has resulted in a potential data breach for more than 6,845 eMobile and Meteor customers, as well as 686 employees.
"Specifically, there is a potential data risk for 6,441 current and previous eMobile business customers, dating from August 2010 until December 2011," said a company statement regarding the Parkwest theft.
"The data at risk for the vast majority of customers is personal data including names, addresses and telephone numbers. There is a small group of approximately 146 customers where financial data including bank account details may be at risk.
"Separately, there is also a risk to data held within 404 Meteor customers. The data specifically concerns post-pay customers who applied online between January and July 2011.
"The personal data at risk includes details such as an applicant’s name, address, and telephone numbers as well as a range of documentation used to support a customer application such as passport and drivers licence details, various photo ids or utility bills which all may have been used to establish proof of identity.
"In some cases financial data such as bank account, laser or credit card details is also at risk."
The theft has sparked a review of the firm's encryption policy.
Gardaí have been notified and two separate investigations are underway. The company said that there is no evidence at this time that the data at risk has been used by a third party.
The company said that it is now working to contact anyone who may be affected by the problem.
"Eircom treats privacy and protection of all data extremely seriously and we have taken the following pro-active measures to address the situation," said a company statement.
"More than 20 customer care agents and account managers have initiated a contact programme to telephone all 550 customers whose financial data may be at risk.
"The agents will notify the customers of the risk and inform them of the specific data involved. They will also answer any questions or concerns they may have. In addition, all impacted customers will be notified by letter.
"As a precautionary step, we have contacted the Irish Banking Federation, who has notified their members of the potential risk to data for affected eMobile and Meteor customers."
Data Commissioner Billy Hawkes later said that this was one of the most serious breaches on the scale.
He said the financial data on unencrypted laptops had put people at risk of identity theft and criticised eircom’s delay in telling customers their data had been compromised.
Mr Hawkes said firms normally reported breaches within 24 to 48 hours and said it was unacceptable that eircom was not initially aware what information was on the laptops.
Communications companies are also subject to higher security standards than other sectors by law, he added.
“Encryption of laptops where you do permit personal data to be stored on them is bog-standard security so it’s extremely surprising that in two separate incidents eircom laptops were not encrypted,” Mr Hawkes said.