The theft of four Bank of Ireland laptops has left 10,000 of its customers exposed to the risk of identity fraud, writes John Collins
TEN-THOUSAND Bank of Ireland customers in Dublin, Carlow and Louth should shortly be receiving letters confirming that their sensitive personal data was on one of four laptops stolen from bank employees last year.
The laptops, which were stolen from the cars and homes of staff, contained information relating to customers who either obtained a quote or took out a life assurance policy with Bank of Ireland Life from seven branches in Leinster.
It is likely that the thefts were opportunistic, with the perpetrators planning to sell the laptops rather than access the data on them.
According to Colm McDonnell, a partner at Deloitte's enterprise risk services practice, there is no company in Ireland that has not lost a laptop or other data storage device. "As soon as any information goes missing, there is a risk of identity theft," he says.
In this instance, the value of the information, which would be sufficient to carry out identity theft fraud in the name of the customer, far exceeds the resale value of a laptop on the black market.
With details such as name, address, date of birth etc, it would be relatively easy to open a bank account or apply for a credit card in that person's name.
Dave Keating, security specialist with technology distributor DataSolutions, says that, while the majority of computer thefts were opportunistic, criminals in Ireland have now started to "rob to order".
In Britain, the phenomenon has been related to industrial espionage, but Keating says there have been cases in Ireland where politicians and their aides have had offices burgled with only laptops being stolen.
"Three or four years ago someone would put a brick through a car window, steal a laptop, and sell it in the pub for three or four hundred euro," says Keating. "Now they realise, if they spend an extra half-hour finding out what's on it, they can sell it for thousands not hundreds."
Although the Garda is investigating the thefts, the chances of recovering the computers seem to be small. Statistics released by the Central Statistics Office this week show that, of the 24,771 reported burglaries in 2006, there have been just 1,512 convictions, with a further 932 cases pending.
Although Bank of Ireland declines to talk specifically about what security measures were used on the laptops, it has confirmed that the discs were not encrypted.
A spokeswoman for Bank of Ireland said all laptops containing customer data would be encrypted "by this weekend" and all laptops in the group would be encrypted by the end of May.
Brian Forrester, managing director of Bank of Ireland Life, has said laptops used by his staff have "several levels of password security".
IT security experts say anyone with a reasonable level of computer knowledge, or who is willing to spend the time researching online, could potentially access the information on the machines. So-called password cracking software can be downloaded from numerous online forums.
"Passwords are not considered a reasonable level of security," says Colm Murphy, technical director of security consultancy Espion. "Typically, the thief will remove the hard drive and connect it to another machine so that they don't even have to boot up the operating system."
Ken Farrow, director of fraud services with specialist risk consultancy Control Risks in the UK, says criminal gangs coming into possession of such data would most likely take out loans or open bank accounts in the victims' names.
In his experience criminal gangs are likely to try to establish if the details relate to wealthy individuals. If they think they do, the gangs will ring pension firms and investment houses purporting to be that person. According to Farrow, the intention is to gather more personal information, but also to try to get the assets diverted to an account controlled by the fraudster but in the victim's name.
Farrow, who has more than 30 years' experience as a police officer, says organised crime gangs now operate their own call centres, which ring financial institutions trying to gather information on potential victims.
Espion's Murphy agrees that social engineering - fooling a bank employee to reveal more information about a customer or make a change on their account - is a key element of identity fraud.
"They will typically phone the bank and try and get the address changed on the account," he says. "Then they open a beneficiary account that they can transfer funds into."
While the biggest threat to computer security was once teenage hackers, that is no longer the case.
"This is big money now," says Keating. "In the past it was 'script kiddies' doing this kind of thing to increase their reputation among other hackers. Now it is much more sophisticated and being done by organised crime gangs."
Murphy says terrorist organisations have also seen the potential of identity theft and other digital crime. "I carried out an investigation for the British police a number of years ago and we found that the Tamil Tigers were heavily involved in credit-card fraud and identity theft."
Given that the information gathered in the Bank of Ireland case was for the purposes of providing life assurance, it will be quite detailed. But even if the information is not sufficient, criminals can use search engines and social networking sites to gain more information on potential victims.
While it is not willing to go into the details, it is clear that Bank of Ireland is busy improving its IT security this week. The spokeswoman confirmed that there would be internal monitoring of the affected customers' accounts but said she could not discuss the details.
The worst-case scenario for the bank would be that the information would not just be used to carry out fraud on these customers, but that the laptops could provide access to other computer systems.
"The other risk is that a laptop is effectively a gateway to your network," says McDonnell. "It's like losing a set of keys - you've got to hope the person that finds them doesn't open your front door."
The advise to customers who receive a letter from the bank is to keep a close eye on their bank statements and online banking services. Although all of the experts say the chances that the information fell into the hands of criminals capable of defrauding the customers is low, it is not beyond the bounds of possibility.
Farrow says identity theft is the fastest-growing crime in Britain and insurance companies now offer policies against it. "In the old days people were worried about their house being burgled or their car stolen but now identity theft is the biggest concern. Cars are much better protected now and if someone breaks into a house, identity documents are far more valuable than a TV or DVD player."
It is only a matter of time before people in Ireland are thinking the same way.
