Gardaí are investigating the theft of a memory stick containing personal details of tens of thousands of customers of Budget Travel, which went into liquidation last November.
The liquidator, Simon Coyle, contacted affected customers yesterday to inform them their details were on a USB stick taken as part of a theft from Budget Travel’s headquarters in Dublin within the past two weeks.
It is understood that more than 90,000 customers may be affected. Mr Coyle would only confirm the figure ran to "tens of thousands".
The information had been stored on the memory stick as part of the transfer of business from Budget Travel, which is being bought by Club Travel.
Information contained on the database includes customers’ names and email addresses, and may also include phone numbers and postal addresses, if these were provided to Budget Travel.
The database does not contain any credit card, debit card, bank details, financial information or any "sensitive data" about any former customers of Budget Travel, Mr Coyle insisted.
The database does, however, contain internal Budget Travel codes representing customers’ age groups, gender and travel preferences. Not all customers provided this information.
Mr Coyle told customers that gardaí were investigating the matter and the perpetrators of the theft had been identified. The memory stick has not yet been recovered.
“The theft appears to have been opportunistic with no specific intent to take customer data and it is important to emphasise that the information on the database is very basic data, which in some cases could be obtained elsewhere (in a telephone directory for example).
“Without the Budget Travel codes, it is unlikely that those who stole the USB stick will be able to decipher and read the encoded data.”
In a statement, Mr Coyle said: “We are taking this issue very seriously, and are working closely with both the gardaí and the Data Protection Commissioner. We had been hopeful of retrieving the USB stick, but unfortunately we have not been able to do so yet.”
Procedures had been put in place to ensure that such a data breach does not happen again.
Deputy Data Protection Commissioner Gary Davis confirmed the liquidator had informed his office soon after the theft of the USB stick on February 1st. “They did report it and we have been liaising with them [to establish] what happened.”
The issue again highlighted that anyone dealing with personal information should ensure that it was stored securely, he said.
Mr Davis said that in this case, however, it appeared there was no risk of identity theft because there were no financial or bank account details stored on the device.
Former Budget customer Suzy Byrne posted details of the liquidator’s email on her blog mamanpoulet.com when she received it on Wednesday evening.
“I just can’t believe that an organisation would put a database on a key that was not protected or encrypted in any way. Obviously that information is valuable to somebody, and the email addresses are useful to people who are trying to sell holidays,” she said.
Ms Byrne said she was not satisfied that her own information was not compromised as a result of its inclusion on the memory stick. But she acknowledged there was no financial information on it.
The liquidator originally wrote to former customers of Budget Travel in December to inform them he had been approached by a number of parties who wished to purchase the business.
He informed them he intended to disclose their personal information to ensure continuity of service to them, but gave them an option to opt out of such disclosure.
The sale to Club Travel is expected to be completed in the next few weeks. Club Travel could not be contacted for comment to establish if it was aware of the security breach.