The details of up to 6,845 current and former customers with Eircom's mobile divisions may have been compromised after three unencrypted laptops were stolen.
Financial information on up to 550 customers with eMobile and Meteor was contained on one of the three machines. The information includes bank account, debit and credit card information.
Eircom said, however, that in the majority of cases the data at risk was personal - including names, addresses and telephone numbers. Other documentation included data used to support customer applications, such as passport and driver's licence details, and utility bills.
Two of the laptops were stolen from the company’s offices in Parkwest in Dublin some time between December 28th and January 2nd and the unencrypted information was on one of those.
The third was taken from the home of an employee on December 19th. The company said gardaí were informed immediately. A spokesman for the company said the two laptops stolen from its Parkwest offices were not used by outside the building.
Data Protection Commissioner Billy Hawkes said today the nature of the breach was of the more serious types reported to his office.
He said the nature of the financial data on the unencrypted laptops had put the customers at risk of identity theft. There had also been long delay in telling people that their data had been compromised so they had not had an opportunity to protect themselves. Thirdly, as a telecommunications company, Eircom was subject to higher standards by law than other sectors of the economy.
Speaking on RTÉ's Morning Ireland programme, Mr Hawkes said the delay in reporting the thefts to his office was not acceptable.
“Our normal delay in getting reports in is 24 to 48 hours which is our guideline for reports of such incidents. So I find it very surprising to hear that reason being given by Eircom.”
Mr Hawkes said encryption of laptops, where a company permitted the storage of personal data on them, was “bog standard security”. “So it’s extremely surprising that in two separate incidents Eircom laptops were not encrypted."
Mr Hawkes said telecommunications companies were subject to European and Irish law obliging them to guard customer data very securely.
“Secondly, they are required to inform customers without undue delay when there is a breach. This recognises the fact that telecommunications companies have a huge amount of data on all of us and should be subject to more stringent requirements.”
Data protection consultant Daragh O’Brien, who has worked with the telecommunications sector, said it was “inexcusable in today's environment not to encrypt laptops”. He said the delay in alerting the commissioner’s office also suggested weaknesses in Eircom’s prevention and detection policies.
While organisations needed to have policies for encryption, the sharing of data and the proper use and storage of data, it was equally important that they had adequate controls to ensure those policies were being followed.
Appropriate processes also had to be in place to manage risk and meet the duty of care established by data protection rules, he said.
Information security consultant Brian Honan said companies were obliged under various laws to ensure information such as card payment information was secured properly.
He said a more secure option for the data would be to have it on a centralised database where the security of the data could be managed better, rather than on laptops.
“If the data in question had to be on those laptops then it is disappointing, given recent headlines on data losses on unencrypted laptops in other organisations, that Eircom had not taken this basic step to protect the information entrusted to them by their customers and staff.”
Mr Honan said many organisations also tended to forget there was other data held on laptops that could put them at risk – including business plans, sales and marketing plans and price lists.
Eircom said today it would contact by telephone those customers whose financial data was potentially at risk, and all affected customers would receive a letter notifying them of the breach. The company also said it had contacted the Irish Banking Federation to notify it of the potential risk for affected customers.
A review of the group's encryption policy for computers and laptops is also underway.
Meteor customers who believe they may have been affected can contact 1800 444 085 or log on at meteor.ie. eMobile business customers can contact 1800 428278 or can visit emobile.ie.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/sandbox.irishtimes/GW3FWAURWFGM7FF4RMYJLBG7ZI.png)