Eircom eMobile and Meteor plead guilty breaches of data protection

cookie1977

http://www.rte.ie/news/2012/0910/emobile-meteor-guilty-of-data-legislation-breach.html

The charges follow the theft of two unencrypted laptops from the office of Eircom Ltd, trading as eMobile, and Meteor Mobile Communications Ltd, trading as Meteor, in Parkwest in Dublin late in 2011 or early in 2012.
The laptops contained personal and financial information of customers. Both companies are part of the Eircom group.
They were charged with failing to protect the personal data held on the laptops, failing to notify the Data Protection Commission of this personal data breach without undue delay and failure to notify the effected individuals without delay.
It is the first prosecution taken with regard to the loss of personal data on an unencrypted laptop.

bjmeag

Meteor only notify you of anything if they are looking for money.:)

antodeco

But surely all the content is on a seperate system that is required to be logged into. Simply stealing a laptop wont give a huge amount of information I would imagine?

kenyard

antodeco wrote: »

But surely all the content is on a seperate system that is required to be logged into. Simply stealing a laptop wont give a huge amount of information I would imagine?

what is a system? its pretty much a computer..generally a server indeed which needs to be logged onto.
clearly in this instance they kept information on laptops, which were taken. of course the data is probably password protected...probably... in which case it would take the people who stole them time to get the information (and they probably dont want it, rather just wanted the hardware - the laptops)

either way good to see this type of fine. i get annoyed at how poor security related to this stuff is.

antodeco

Well thats true. It was all about the harware! I can tell you with 100% certainty, there was no way the people who took these laptops had direct access to any information. Specific IP access/Login requirements are needed. Still, wonder how the hell someone managed to swipe laptops. Did they just walk in?

cookie1977

antodeco wrote: »

Well thats true. It was all about the harware! I can tell you with 100% certainty, there was no way the people who took these laptops had direct access to any information. Specific IP access/Login requirements are needed. Still, wonder how the hell someone managed to swipe laptops. Did they just walk in?

They did admit to the laptops being unencrypted and that they were only password protected:

The court heard that the theft of the two password-protected but unencrypted computers...

They also discovered 160 more laptops that were also unencrypted (they have since been encrypted). If the "password" was a windows system password then the data was easily accessible to the most basic of techies.

wonski

antodeco wrote: »

But surely all the content is on a seperate system that is required to be logged into. Simply stealing a laptop wont give a huge amount of information I would imagine?

Nope - my personal info, including bank account number, addresses etc was there. From what i remember those laptops were used to process online applications for bill accounts.
All affected customers got one month free line rental btw. Don't think anyone suffered any loss as a result of this.

murfinsurfin

So from what I can see, over 10000 customers had their personal data stolen, at a cost to eMobile/Meteor of €1.50 per customer, what a boon to the data stealing community! They would normally pay much more for the data.
If anyone feels blase about this, they should know that personal information is worth thousands to the right people/organisations. Having your date of birth means someone can apply for your birth certificate. With that paper they can access lots of other stuff, like a driving licence, passport etc. It's called identity theft, much more prevalent than we assume,& growing exponentially.
If anyone feels that a password protects them, any reasonably competent techie can break even the most complicated one in about 15 mins, the free software available on the net can even break a BIOS password. Encryption however is different, unless the encrypt key is correct, all that exists is total gobbledygook. The most important thing about encryption is a good strong password, after that it would take very sophisticated software to break it.
Basically I'm appalled that the company got away so light, I feel the judiciary have not yet caught on to the seriousness of the breach, and fined accordingly.

_Kaiser_

antodeco wrote: »

Well thats true. It was all about the harware! I can tell you with 100% certainty, there was no way the people who took these laptops had direct access to any information. Specific IP access/Login requirements are needed. Still, wonder how the hell someone managed to swipe laptops. Did they just walk in?

By the sounds of it the laptops must have contained exports from whatever systems are used - eg: Excel sheets with all the customer's details.

As already mentioned if the laptop was only protected with a Windows password that can be bypassed easily by anyone who's ever had to backup a failed Windows install.

wonski wrote: »

All affected customers got one month free line rental btw. Don't think anyone suffered any loss as a result of this.

One month's free rental for the possible loss of all your confidential data and banking details isn't worth much though - seems Meteor/Eircom/eMobile attended the same "what is adequate compensation for a customer when we royally mess things up" course that Ulster Bank did! :rolleyes:

finnegan101

it does seem crazy that the penalties are so light... and the consumers get little or no compensation in most cases...
although they have since admitted to several more breaches in recent weeks, it appears their managers are continuing to allow their customer service staff to continue to operate contrary to data protection legislation...