Data Protection Commissioner slams Irish telecoms giant for “bog standard” security failings
Irish telecoms firm eircom has confirmed the theft of three laptops containing personal information of over 7,000 customers.
According to the Irish Independent, details of more than 7,000 mobile phone customers and employees were compromised while bank account or credit card details of 550 eMobile and Meteor customers was also potentially at risk.
Two of the laptops were stolen from eircom’s Dublin offices in December last year while the third was taken from the home of an employee. It was this laptop that contained the names and address of nearly 700 eircom employees, the Irish Independent says.
The laptops stolen from eircom’s office contained personal information of 6,441 eMobile business customers. Nearly 150 of these contained financial or bank details. Another file contained details of just over 400 Meteor post-pay customers, the report said.
The laptops were not encrypted.
Paul Bradley, head of communications at eircom, apologised to customers and said two separate investigations are underway. He added that no evidence had yet been uncovered that the data had been used by a third party.
However, the group was slammed by Irish Data Protection Commissioner Billy Hawkes. Speaking to RTE, he said the breach is one of the "most serious" his team had faced, "For two reasons: Because of the nature of the financial data that was on the unencrypted laptops puts people at risk of data theft and secondly the long delay in telling people that their data had been compromised and giving them the opportunity to protect themselves."
Hawkes said that data breaches should be reported within 24 for 48 hours and that eircom’s explanation that it was waiting to find out what data was on the laptops before notifying people was "not acceptable".
He was said that encryption on laptops that contain personal information is "bog standard security" and that it is "extremely surprising that in two separate incidents eircom laptops were not encrypted."
The Data Protection Commission confirmed it is investigating the incident.