This article is also available in:
Deutsch: Irischer ISP setzt die persönlichen Daten seiner Kunden aufs Spiel
Personal data of more than 6 800 current and former customers of Eircom's (biggest Irish ISP) mobile divisions may be at risk after three unencrypted laptops have been stolen, two from the company offices in Parkwest Dublin during 28 December 2011 - 2 January 2012 and one from an employee's home on 19 December 2011.
Eircom stated that most of the data involved were personal data including name, address and telephone numbers, but in some cases passport, driving licence numbers or utility bills and for about 550 customers the data on one of the laptops included financial information such as bank accounts, debit and credit card information.
Data Protection Commissioner Billy Hawkes considers the breach as one of the most serious ones and said that Eircom had put its customers at risk of identity theft. He also criticised the company for the delay in announcing people of the thefts that would have given them the opportunity to protect themselves.
"Our normal delay in getting reports in is 24 to 48 hours which is our guideline for reports of such incidents. So I find it very surprising to hear that reason being given by Eircom," said Hawkes as a reaction to Eircom's statement that the delay in reporting came from the fact that the company had tried to find out what data had been breached.
Furthermore, as Hawkes said, Eircom as a telecom company was supposed to have higher protection standards and therefore it was "very surprising that in two separate incidents Eircom laptops were not encrypted." His conclusion is that "telecommunications companies have a huge amount of data on all of us and should be subject to more stringent requirements."
Eircom stated the incidents had been immediately reported to the police, two separate investigations were ongoing and that there was no evidence that the lost data has been used by a third party. "Eircom treats privacy and protection of all data extremely seriously and we have taken the following pro-active measures to address the situation. As a precautionary step, we have contacted the Irish Banking Federation, who has notified their members of the potential risk to data for affected eMobile and Meteor customers."
The company also stated it would contact by telephone those customers whose financial data was potentially at risk, and would send letters to all affected customers to notify them of the breach.
The fact that the laptops in question were unencrypted was considered as inexcusable and according to data protection consultant Daragh O'Brien the delay in alerting the commissioner's office suggested faulty prevention and detection policies in Eircom. Information security consultant Brian Honan also said that companies were obliged, under various laws, to ensure the proper security of information such as card payment information.
According to Eircom, a review of the group's encryption policy is in progress "to ensure all computers and laptops are compliant with the group's encryption policy."
Eircom customer data breached (10.02.2012)
Press Release - eircom Group Statement on Laptop Theft
Eircom slammed for laptop and data loss (13.02.2012)