Eircom has apologised after failing to protect the personal information of more than 7,000 mobile phone customers and employees, which was stored on three stolen laptops.
However, the hi-tech communications company was lambasted for neglecting "bog standard" security measures and only disclosing the thefts three months after they occurred.
It could become the first firm to be prosecuted under stiff new data protection legislation introduced specifically for communications companies last year and faces potential fines of €250,000.
Names, addresses, phone numbers and, in some cases, bank account and credit or laser card details, along with copies of passports, driving licences and other personal documents relating to Eircom’s eMobile and Meteor customers were among the unencrypted data recorded on the laptops, two of which were taken from company offices and the other from an employee’s home.
Most of the people involved do not yet know they are affected as letters were only being posted by the company yesterday, although anyone whose financial details were at risk were prioritised for notification by phone.
The company admitted that it was a breach of company policy not to have laptops encrypted in the event of theft and said it was carrying out an internal investigation into why security was so lax on these particular units.
That investigation had already uncovered 45 other laptops in use by staff, which were similarly not protected, but these have since been installed with encryption software.
Data Protection Commissioner Billy Hawkes, who is also investigating, said the potential exposure of financial data and the long delay in reporting the problem made this one of the most serious breaches his office had dealt with.
"The normal delay in getting reports is 24-48 hours," he said.
He was only notified last week and the laptops were stolen last December. He said customers should have been notified earlier to put them on the alert for any tampering with their bank accounts or credit cards.
He also pointed out that communications companies were subject to higher security standards than other industries:
"Encryption of laptops where you do permit personal data to be stored on them is bog standard security, so it’s extremely surprising that in two separate incidents eircom laptops were not encrypted," said Mr Hawkes.
Eircom spokesman Paul Bradley said the delay in reporting the breach was because it took longer than expected to determine if the laptops were encrypted and then to work out what information they contained. "Eircom apologises to customers for the incident. It’s extremely regrettable," he said. He added that there was no evidence of the exposed data being used by a third party and said the breach was "small, relatively, in terms of our customer base".
Q&a
Q. Who is affected?
A. 6,441 current and previous eMobile business customers who signed on between August 2010 and December 2011, including 146 whose bank account or other financial data was recorded, plus 404 post -pay Meteor customers who applied online between January and July 2011 and whose financial data is at risk, plus 686 employees.
Q. What should concerned customers do?
A. Wait for notification by the company or call one of these helplines: Meteor customers: 1800 444085, eMobile customers: 1800 428278. Check bank accounts for irregular transactions since last December. Report any suspicions to the bank, Meteor/eMobile and the Data Protection Commissioner.
Q. Will Eircom pay compensation if a customer is the victim of card fraud or identify theft?
A. It says it will "work with customers to resolve that matter" if it arises.
Q. Will the company be sanctioned for the breach of trust and sloppy security?
A. The Data Protection Commissioner is investigating and has powers to prosecute for both the failure to protect the data and the delay in notifying customers. Potential maximum penalties of €250,000 apply for each offence but the legislation is new and has not yet been enforced in a case like this.
Q. How common is this kind of breach?
A. In recent years, the personal, financial or medical data of more than 650,000 people has been put at risk by the theft of unprotected laptops and other IT equipment from Bord Gáis, Bank of Ireland, the HSE, Irish Blood Transfusion Board, the Comptroller and Auditor General’s office and Budget Travel. Repeat incidents were not expected as encryption software is now readily available to make data inaccessible to unauthorised users. However, the Data Protection Commissioner’s annual reports reveal companies are still failing to install adequate safeguards. Q. Is there anything customers can do to protect themselves?
A. Monitor bank accounts for irregular/ unsanctioned transactions. If companies seek an unreasonable amount of personal data to sign on for a simple service, question why it’s needed.
Take business elsewhere or consult the Data Protection Commissioner.
a d v e r t i s e m e n t
This appeared in the printed version of the Irish Examiner Saturday, February 11, 2012
