Bord Gáis failed to say stolen laptop data not encrypted

BORD GÁIS failed to tell the Data Protection Commissioner for almost a week that a stolen laptop containing sensitive customer information was not encrypted.

The computer, containing banking details of almost 75,000 customers, was stolen in Dublin on June 5th. It wasn’t until June 11th that the company told the commissioner’s officials that it was not protected by encryption, both the commissioner, Billy Hawkes, and the company confirmed yesterday. Mr Hawkes revealed he was about to issue an enforcement notice compelling Bord Gáis to tell customers about the data breach before it finally went public last Wednesday.

Four laptops were stolen from the company’s offices on Foley Street in Dublin’s north inner city in the early hours of Friday, June 5th. Bord Gáis informed gardaí and the Data Protection Commissioner on the same day, but did not specify to the latter that one of the laptops, containing account numbers, homes addresses and branch details of customers, was not protected by encryption.

Asked why it had not provided this information, a company spokeswoman told The Irish Times that it first had to “mirror” the contents of the laptop against the main computer and this took several days. When it was pointed out that chief executive David Bunworth told RTÉ yesterday morning that Bord Gáis knew on the same day that the machine was not encrypted, the spokeswoman confirmed it had taken a number of days to ascertain the lack of encryption. She said Mr Bunworth meant to say the theft had been reported on the same day.

The company elected not to publicise the theft after discussing the matter with gardaí, who believed the robbery was carried out by teenagers who would be unaware of the sensitivity of their booty. Mr Bunworth said it felt going public would only escalate the matter, but added that this “judgment call” was made by Bord Gáis, not the Garda.

Last Monday, the company met Mr Hawkes’s officials, who urged it to tell customers about the security lapse immediately.

Asked about the two-day delay between this meeting and the public disclosure by journalists, the spokeswoman said the company first had to organise the letter it would send to affected customers and set up a helpline. The letters are being sent out to customers today and the helpline will operate next week.

She also said the information on the laptop had not been downloaded in accordance with internal protocols and an investigation was being carried out. Security consultants Risk Management International were also called in to assess the threat from the theft.