Potential data breach as eircom laptops stolen

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.irishexaminer.com/breakingnews/ireland/potential-data-breach-as-eircom-laptops-stolen-539298.html

Eircom has today reported a potential data breach for customers
following the theft of three laptops.

Two of the computers were stolen from eircom's offices at Parkwest in
Dublin between December 28, 2011 to January 2, 2012, and the third was
taken from the home of an employee on December 19. The data on all of
the laptops was not encrypted.

The company says the theft has resulted in a potential data breach for
more than 6,845 eMobile and Meteor customers, as well as 686
employees.

"Specifically, there is a potential data risk for 6,441 current and
previous eMobile business customers, dating from August 2010 until
December 2011," said a company statement regarding the Parkwest theft.

"The data at risk for the vast majority of customers is personal data
including names, addresses and telephone numbers. There is a small
group of approximately 146 customers where financial data including
bank account details may be at risk.

"Separately, there is also a risk to data held within 404 Meteor
customers. The data specifically concerns post-pay customers who
applied online between January and July 2011.

"The personal data at risk includes details such as an applicant’s
name, address, and telephone numbers as well as a range of
documentation used to support a customer application such as passport
and drivers licence details, various photo ids or utility bills which
all may have been used to establish proof of identity.

"In some cases financial data such as bank account, laser or credit
card details is also at risk."

The theft has sparked a review of the firm's encryption policy.

Gardaí have been notified and two separate investigations are
underway. The company said that there is no evidence at this time that
the data at risk has been used by a third party.

The company said that it is now working to contact anyone who may be
affected by the problem.

"Eircom treats privacy and protection of all data extremely seriously
and we have taken the following pro-active measures to address the
situation," said a company statement.

"More than 20 customer care agents and account managers have initiated
a contact programme to telephone all 550 customers whose financial
data may be at risk.

"The agents will notify the customers of the risk and inform them of
the specific data involved. They will also answer any questions or
concerns they may have. In addition, all impacted customers will be
notified by letter.

"As a precautionary step, we have contacted the Irish Banking
Federation, who has notified their members of the potential risk to
data for affected eMobile and Meteor customers."

Data Commissioner Billy Hawkes later said that this was one of the
most serious breaches on the scale.

He said the financial data on unencrypted laptops had put people at
risk of identity theft and criticised eircom’s delay in telling
customers their data had been compromised.

Mr Hawkes said firms normally reported breaches within 24 to 48 hours
and said it was unacceptable that eircom was not initially aware what
information was on the laptops.

Communications companies are also subject to higher security standards
than other sectors by law, he added.

“Encryption of laptops where you do permit personal data to be stored
on them is bog-standard security so it’s extremely surprising that in
two separate incidents eircom laptops were not encrypted,” Mr Hawkes
said.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/