Eircom, Meteor charged over breach

Telecoms companies Eircom and Meteor have been ordered to pay €15,000 each to charity after the details of over 10,000 customers were compromised when two unencrypted laptops were stolen.

The companies were prosecuted by the Data Protection Commissioner before Dublin District Court today in relation to the data breach involving two laptops stolen from Eircom’s offices at Parkwest in Dublin between December 28th, 2011 and January 2nd, 2012.

The court heard information on the computers included customer details such as names and addresses and copies of proof of identity documents such as driving licences, passwords and utility bills. This had potentially exposed them to identity theft.

Gardaí were informed of the theft on January 4th, but the commissioner’s office was not notified until February 2nd. A large number of the customers affected were not notified of the theft of the machines containing their personal information until March – more than two months after the event.

Each company pleaded guilty to three charges relating to failure to take appropriate security measures to protect the personal information on the laptops, of failing to notify the commissioner of the breach without undue delay, and of failing to notify their customers of the theft of their information without undue delay.

An initial breach report to the commissioner’s office in February indicated that the number of affected customers was 454 in the case of Meteor and 6,597 in the case of Eircom’s Emobile customers. Following “intensive” contact between the commissioner and the companies, an updated breach report submitted on March 15th revealed that the numbers were greater than originally thought.

The revised figures were 3,944 Meteor customers and 6,295 Emobile customers affected by the data breach.

In relation to 142 of the Emobile customers, the personal data in question was in the form of customer application forms including proof of identity, eg copy of passport, driving licence, national identification, bank account/credit card details, financial statements and utility bills.

The other 6,153 cases contained details such as name, address, telephone and account number.

Of the 3,944 Meteor customers affected, data held on 1,244 of them included similar proof-of-identity documents. The other 2,700 cases contained details such as name, address, telephone and account number.

The court heard that some 160 of more than 3,000 laptops in the Eircom companies had been found not to be encrypted during the investigation. This had since been rectified.

Assistant data protection commissioner Tony Delaney told the court the laptops had been password protected but not encrypted, which was a “key failing” by the companies.

Mr Delaney said this was a “basic requirement” to protect the personal information on the machines.

“If the laptops had been encrypted, it would have been impossible for anybody to make out or to see these proof of identity documents.”

Mr Delaney said the commissioner’s office had asked for an explanation of the delay in notifying his office and the companies had said it was due to the complex nature of the inquiry and the fact they had to reconstruct what information had been on the computers.