Eircom computer theft exposes customer and employee data
Unencrypted laptops stolen, despite company encryption policy
Tech4Biz | 10 Feb 2012 :
The Eircom Group has confirmed that the theft of three laptops has resulted in the loss of information on 6,845 eMobile and Meteor customers along with 686 employees.
Two of the laptops were stolen Eircom premises at Parkwest, Dublin, with another machine being stolen from an employee's home.
Once again we see an organisation that should know better suffering a highly embarrassing data loss that could easily have been prevented, and it begs the question, why?
With a stated policy of data encryption, why were three machines, stolen from two separate locations, unencrypted? It beggars belief.
Now, that said, looking at the situation practically, the most likely possibility is that the thefts were opportunistic and were not targeting data at all. The thieves may simply have been after hardware that was easily converted into cash and, as such, are not likely to be in the Professor Moriarty league of master criminals.
However, with data breaches coverage now so prevalent, it would not take a genius to work out that the contents of the hard drives of these machines would be worth more to certain people than the machines themselves. It would not take a Prof Moriarty to work out that there must be an outlet for such things and endeavour to find to willing buyer. At that point, the situation changes entirely and there is real danger for those whose details are lost.
Coming back to Eircom, one must ask hard questions about why these machines were not encrypted. Whatever about the two machines inside the offices of Eircom at Parkwest, for the machine that was in the home of an employee to be unencrypted is, to put it mildly, unforgiveable. Eircom has long experience of employees working offsite and from home, therefore there can be only two conclusions from this: the first is that there was lax policy enforcement for encryption or company data was taken off site without permission. Either way, there are serious issues to deal with.
Much of this comes back to accessibility and its balance with security. Speculating for a moment, if an organisation has a policy for encryption of devices that carry either employee or customer data that is so onerous as to make working with such data impossible, then people will circumvent it in order to get their jobs done. This is not through any maliciousness, but rather through a desire to simply get on with it. On the other side, if a data encryption policy is stated but not enforced or monitored, then employees will show a similar lack of respect for it and probably disregard it. Either of the above scenarios can result in what has happened at Eircom.
Given that the office of the data protection commissioner actually has fairly distinct powers in this area, I would not be at all surprised if there are serious consequences for the Eircom Group over this incident. However, if the organisation handles it well, with openness and humility, demonstrates its willingness to address the issues involved and develop news practices to prevent any reoccurrence, then it will not be all bad for Eircom. As has been demonstrated in cases such as the RSA hack, a crisis handled well can increase the standing of the organisation at the centre of it. Let's hope Eircom has been watching.
Paul Bradley, head of Communications, Eircom Group, confirmed that the stolen computers were not encrypted, despite a stated policy for such computers to be encrypted.
A statement from the group has said that "the incident was immediately reported to the Gardaí and an investigation is on-going." However, the data protection commissioner, Billy Hawkes was critical of Eircom for slow reporting of the incident. Speaking on RTE Radio 1 show, Morning Ireland, Hawkes commented that it was "very surprising" that it had taken so long for the incident to be reported the commission.
The computer that was stolen from the private residence of an Eircom employee contained "names and addresses of 686 Meteor employees." It has not yet been recovered and Gardaí are investigating.
The computers that were stolen from Eircom offices in Parkwest in Dublin contained "contained personal data for some current and former eMobile business customers," said an Eircom statement.
"Specifically, there is a potential data risk for 6,441 current and previous eMobile business customers, dating from August 2010 until December 2011. The data at risk for the vast majority of customers is personal data including names, addresses and telephone numbers. There is a small group of approximately 146 customers where financial data including bank account details may be at risk. There may also be a range of documentation used to support a customer application such as passport and drivers licence details, various photo ids or utility bills which all may have been used to establish proof of identity. In some cases financial data such as bank account, laser or credit card details is also at risk."
Bradley confirmed that the two machines stolen from the Parkwest office were in current use at the time. "They were used by our sales and support teams on the mobile side, and would have been processing applications submitted by e-mail."
The Eircom statement went on to say, "eircom treats privacy and protection of all data extremely seriously and we have taken the following pro-active measures to address the situation." Similar statements were made on both the Meteor and eMobile web sites, under the heading "Data Protection Update."