Irish ISP puts its customers' personal data at risk

By EDRi · February 15, 2012

This article is also available in:
Deutsch: [Irischer ISP setzt die persönlichen Daten seiner Kunden aufs Spiel | https://www.unwatched.org/EDRigram_10.3_Irischer_ISP_setzt_die_persoenlichen_Daten_seiner_Kunden_aufs_Spiel?pk_campaign=edri&pk_kwd=20120221]

Personal data of more than 6 800 current and former customers of Eircom’s
(biggest Irish ISP) mobile divisions may be at risk after three unencrypted
laptops have been stolen, two from the company offices in Parkwest Dublin
during 28 December 2011 – 2 January 2012 and one from an employee’s home on
19 December 2011.

Eircom stated that most of the data involved were personal data including
name, address and telephone numbers, but in some cases passport, driving
licence numbers or utility bills and for about 550 customers the data on one
of the laptops included financial information such as bank accounts, debit
and credit card information.

Data Protection Commissioner Billy Hawkes considers the breach as one of the
most serious ones and said that Eircom had put its customers at risk of
identity theft. He also criticised the company for the delay in announcing
people of the thefts that would have given them the opportunity to protect
themselves.

“Our normal delay in getting reports in is 24 to 48 hours which is our
guideline for reports of such incidents. So I find it very surprising to
hear that reason being given by Eircom,” said Hawkes as a reaction to
Eircom’s statement that the delay in reporting came from the fact that the
company had tried to find out what data had been breached.

Furthermore, as Hawkes said, Eircom as a telecom company was supposed to
have higher protection standards and therefore it was “very surprising that
in two separate incidents Eircom laptops were not encrypted.”
His conclusion is that “telecommunications companies have a huge amount of
data on all of us and should be subject to more stringent requirements.”

Eircom stated the incidents had been immediately reported to the police, two
separate investigations were ongoing and that there was no evidence that the
lost data has been used by a third party. “Eircom treats privacy and
protection of all data extremely seriously and we have taken the following
pro-active measures to address the situation. As a precautionary step, we
have contacted the Irish Banking Federation, who has notified their members
of the potential risk to data for affected eMobile and Meteor customers.”

The company also stated it would contact by telephone those customers whose
financial data was potentially at risk, and would send letters to all
affected customers to notify them of the breach.

The fact that the laptops in question were unencrypted was considered as
inexcusable and according to data protection consultant Daragh O’Brien the
delay in alerting the commissioner’s office suggested faulty prevention and
detection policies in Eircom. Information security consultant Brian Honan
also said that companies were obliged, under various laws, to ensure the
proper security of information such as card payment information.

According to Eircom, a review of the group’s encryption policy is in
progress “to ensure all computers and laptops are compliant with the group’s
encryption policy.”

Eircom customer data breached (10.02.2012)
http://www.irishtimes.com/newspaper/breaking/2012/0210/breaking9.html

Press Release – eircom Group Statement on Laptop Theft
http://pressroom.eircom.net/press_releases/article/eircom_Group_Statement_on_Laptop_Theft/

Eircom slammed for laptop and data loss (13.02.2012)
http://www.scmagazineuk.com/eircom-slammed-for-laptop-and-data-loss/article/227433