Eircom and Meteor ordered to pay €15,000 each over data breach


EIRCOM AND Meteor have been ordered to pay €15,000 each to charity after the details of more than 10,000 customers were compromised when two unencrypted laptops were stolen.

Both companies were prosecuted by the Data Protection Commissioner before Dublin District Court yesterday in relation to the data breach involving two laptops stolen from Eircom’s offices at Parkwest in Dublin between December 28th, 2011, and January 2nd, 2012.

The court heard information on the computers included customer details such as names and addresses and copies of proof-of-identity documents such as driving licences, passwords and utility bills. This had potentially exposed them to identity theft.

Gardaí were informed of the theft on January 4th, but the commissioner’s office was not notified until a month later, on February 2nd. A large number of the customers affected were not notified of the theft of the machines containing their personal information until March, more than two months after the event.

Each company pleaded guilty to three charges relating to failure to take appropriate security measures to protect the personal information on the laptops, of failing to notify the commissioner of the breach without undue delay, and of failing to notify their customers of the theft of their information without undue delay.

An initial breach report to the commissioner’s office in February indicated the number of affected customers was 454 in the case of Meteor and 6,597 in the case of Eircom’s Emobile customers.

But following “intensive” contact between the commissioner and the companies, an updated breach report submitted on March 15th revealed the overall numbers were greater than originally thought. The revised figures were 3,944 Meteor customers and 6,295 Emobile customers affected by the data breach.

The court heard that some 160 of more than 3,000 laptops in the Eircom companies had been found not to be encrypted during the investigation. This had since been rectified.

Assistant data protection commissioner Tony Delaney told the court the laptops had been password protected but not encrypted, which was a “key failing”. Mr Delaney said this was a “basic requirement” to protect the personal data on the machines.

He said knowing their personal information had been compromised would always be a serious cause of distress and worry for those customers affected.

Judge John O’Neill said he did not understand the reason for the delay in reporting the data breach to the commissioner. He said if the companies had done this earlier, they would have had “an ally in their corner” to help them deal with the matter. He noted the commissioner’s code of practice regarding such breaches had been ignored by the companies.

The court heard neither company had previous convictions for a data breach. The offences carry fines of up to €30,000.

The judge said the companies had “come in with their hands up” and had not attempted to minimise their part in the offences. He said, however, they should have notified the commissioner earlier.

He ordered Eircom to pay €15,000 to the Laura Lynn Foundation and Meteor to pay the same sum to Pieta House by September 30th. If those amounts were paid by that date, he would apply the Probation Act on all charges.