Eircom customers' details on stolen PCs
EIRCOM PUT nearly 7,000 customers at risk of identity theft by failing to inform them their personal details were contained on one of three unencrypted laptop computers stolen over Christmas, the Data Protection Commissioner said yesterday.
The details of up to 6,845 current and former customers of the company’s mobile divisions were affected. Eircom reported the thefts to the commissioner only on February 2nd – more than a month after they happened.
Eircom said it had needed time to establish exactly what information was on the machines before contacting customers.
The unencrypted customer information included financial details on up to 550 customers of eMobile and Meteor.
This included bank account and debit and credit card information, but not the CCV security codes for the cards.
Eircom said in the majority of cases the data at risk was personal – including names, addresses and telephone numbers.
It said there was no evidence the data had been used by a third party.
Other documentation stored on the laptops included data used to support customer applications, such as passport and driving licence details, and utility bills.
Two of the laptops were stolen from the company’s offices in Parkwest in Dublin between December 28th and January 2nd.
The third was taken from the home of an employee on December 19th.
The company said gardaí were informed immediately.
A spokesman for the company said the two laptops stolen from its Parkwest offices were not used outside the building.
Data Protection Commissioner Billy Hawkes said the nature of the financial data on the unencrypted laptops had put the customers at risk of identity theft. There had been a long delay in telling people their data had been compromised, which meant they had not had an opportunity to protect themselves.
As a telecommunications company, Eircom was subject to higher standards by law than other sectors of the economy, Mr Hawkes said.
The delay in reporting the thefts to his office was not acceptable.
“Our normal delay in getting reports in is 24 to 48 hours, which is our guideline for reports of such incidents. So I find it very surprising to hear the reason being given by Eircom.”
He added that encryption of laptops, where a company permitted the storage of personal data on them, was “bog standard security”.
It is an offence for companies to fail to notify the Data Protection Commissioner where there has been such a personal breach. It is also an offence for a company to fail to notify the subscribers or individuals concerned if there has been a breach likely to affect their personal data or privacy.
A review of the group’s encryption policy for computers and laptops is taking place.
DATA PROTECTION: MAJOR BREACHES
In 2010, the Data Protection Commissioner received 410 data security breach notifications from 123 different organisations. The increase in notifications from 119 the previous year was attributed to a new code of practice published in 2010 which place “more exacting demands” on organisations, as the commissioner describes it.
BORD GÁIS LAPTOPS
In June 2009, the details of nearly 94,000 customers of Bord Gáis were compromised. One of four laptops stolen in a break-in was not encrypted and it contained details of people who had switched their electricity supply from the ESB as part of the company’s “big switch” campaign.
It emerged that the staff member at Bord Gáis who had downloaded the personal data on to the unencrypted machine had a specific responsibility for ensuring the protection of data.
In 2010, the entire GAA database of half a million members was stolen. It contained the names and addresses of about 500,000 members, the dates of birth of 289,000 members, mobile phone numbers for 107,000 members, landline numbers for 64,000 members and email addresses for 30,000 members (all numbers are approximate). In the case of 544 members, the database contained references to medical conditions.
A major audit by the commissioner last year of a massive insurance database known as Insurance Link, found widespread breaches of data protection laws by employees of insurance companies. In some cases, they were found to have accessed information on other people, including celebrities, inappropriately and out of prurience. The system contains some 2.4 million claims records.
In some cases staff accessed data about houses and cars that they were considering purchasing.
HACKING OF THE FINE GAEL WEBSITE
In January last year, the Fine Gael website set up for the general election campaign was hacked. The personal information of 2,000 people who had submitted comments and left their details via the site was stolen and the entire database was emailed to media organisations, including The Irish Times. Information included phone numbers and email addresses.