Data Breach

Johnboy1951

How and when are eir customers to be notified of the effects of the Data Breach on them individually, which happened 10 days ago.

Is it not rather weird that there is a faulty security update and the day after that a laptop containing customer data was 'stolen'?

Do customers now have to change all their passwords for the various eir services?

Some information would be appreciated ........  even if it is 10 days late!

Chong

Johnboy1951 wrote: »

How and when are eir customers to be notified of the effects of the Data Breach on them individually, which happened 10 days ago.

Is it not rather weird that there is a faulty security update and the day after that a laptop containing customer data was 'stolen'?

Do customers now have to change all their passwords for the various eir services?

Some information would be appreciated ........  even if it is 10 days late!

As a result of this breach does this allow for contract break free of charge?

MoyVilla9

Are they seriously telling me that customer information was stored on non encrypted laptop? Absolutely ridiculous. 

The J Stands for Jay

MoyVilla9 wrote: »

Are they seriously telling me that customer information was stored on non encrypted laptop? Absolutely ridiculous. 

Even if we accept that an update magically unencrypted the data, whap possible reason could they have for putting the data on a laptop and having it outside their premises?

troyzer

MoyVilla9 wrote: »

Are they seriously telling me that customer information was stored on non encrypted laptop? Absolutely ridiculous. 

They'll be getting a heavy slap under GDPR for this.

Wanderer78

I know a chap that hacked their network years ago, said it was very easy, but that was back in the 90's. Informed them to of their vulnerabilities, admins went ballistic

SSeanSS

no way a faulty security update un-encrypted the disk. think eir will have to come up with a better excuse because the public aren't that gullible

eir: Tracey

Johnboy1951 wrote: »

How and when are eir customers to be notified of the effects of the Data Breach on them individually, which happened 10 days ago.

Is it not rather weird that there is a faulty security update and the day after that a laptop containing customer data was 'stolen'?

Do customers now have to change all their passwords for the various eir services?

Some information would be appreciated ........  even if it is 10 days late!

Hi all, 

We have an announcement on our website in relation to this. It advises you on all details, you can view this here

Thanks 

Tracey 

The J Stands for Jay

eir: Tracey wrote: »

Hi all, 

We have an announcement on our website in relation to this. It advises you on all details, you can view this here

Thanks 

Tracey 

Hi Tracey,

Can you let us know the lawful purpose for this information being stored on a laptop in a public place?

Thanks

eir: Sarah

McGaggs wrote: »

eir: Tracey wrote: »

Hi all, 

We have an announcement on our website in relation to this. It advises you on all details, you can view this here

Thanks 

Tracey 

Hi Tracey,

Can you let us know the lawful purpose for this information being stored on a laptop in a public place?

Thanks

Hi McGaggs,

All the information we currently have has been posted to our website linked above. We will update you if further information becomes available to us.

Thanks,

Sarah

Johnboy1951

eir: Sarah wrote: »

McGaggs wrote: »

eir: Tracey wrote: »

Hi all, 

We have an announcement on our website in relation to this. It advises you on all details, you can view this here

Thanks 

Tracey 

Hi Tracey,

Can you let us know the lawful purpose for this information being stored on a laptop in a public place?

Thanks

Hi McGaggs,

All the information we currently have has been posted to our website linked above. We will update you if further information becomes available to us.

Thanks,

Sarah

So it is a heck of a lot worse than I thought!

The laptop was password protected but not encrypted.

In this case the laptop had been decrypted by a faulty security update the previous working day.

How is this possible? ......... what operating system and what encryption scheme could allow this to happen?

Seth Brundle

When was the laptop stolen?
When was the ODPC notified?
What was the software update that unencrypted the laptop?
What form of encryption was on the laptop?
For what reason was the personal data for 37000 customers on a laptop?
Is it commonplace for staff to require such large volumes of customer data on a portable device?
Your explanation page states: "Our data protection rules are very rigorous" - how can for believe this to be the case given what happened?

Riesen_Meal

troyzer wrote: »

They'll be getting a heavy slap under GDPR for this.

Yup,

Mental a laptop can carry 37k users information on it...

SSeanSS

Johnboy1951 wrote: »

eir: Sarah wrote: »

McGaggs wrote: »

eir: Tracey wrote: »

Hi all, 

We have an announcement on our website in relation to this. It advises you on all details, you can view this here

Thanks 

Tracey 

Hi Tracey,

Can you let us know the lawful purpose for this information being stored on a laptop in a public place?

Thanks

Hi McGaggs,

All the information we currently have has been posted to our website linked above. We will update you if further information becomes available to us.

Thanks,

Sarah

So it is a heck of a lot worse than I thought!

The laptop was password protected but not encrypted.

In this case the laptop had been decrypted by a faulty security update the previous working day.

How is this possible? ......... what operating system and what encryption scheme could allow this to happen?

This would not happen on Microsoft or MacOS, wouldn't happen either on most Linux distributions but i really doubt eir would be using Linux. There are no Microsft or MacOS updates that will unencrypt a disk, its complete lies! there is one update that will crash in Windows 10 if disk is encrypted but it certainly wont dis-encrypt it. Think of it like, how could a seperate update do this.. also if this were possible we'd have heard about it already!

Purple Mountain

Your statement does not say why a laptop with 37,000 people's personal details was in a 'public place'?
Please could your press release/PR representative people explain this?
Why would IT hardware need to be in a 'public place' and removed from your office?
This is absolute negligent behaviour that staff are allowed to take a laptop off site that contains tens of thousands of customers details that are nob encrypted.
Can you explain what consequences have been levied against the staff member(s) from whose care the laptop was stolen?

flexcon

Seth Brundle wrote: »

When was the laptop stolen?
When was the ODPC notified?
What was the software update that unencrypted the laptop?
What form of encryption was on the laptop?
For what reason was the personal data for 37000 customers on a laptop?
Is it commonplace for staff to require such large volumes of customer data on a portable device?
Your explanation page states: "Our data protection rules are very rigorous" - how can for believe this to be the case given what happened?

You probably wont get this information right away if at all. They don't have to share it - Long Shot.

As for GDPR, there is no way they would get away with this. The penalty is insane. You're talking about Millions of euro here.

I recently went through the GDPR training and it seems the EU takes this very very seriously.

I'd imagine in the background there are some frantic lawyers and advisors working out how to play this. Main thing to take away from this though is they let us all know within ten days. It actually happened this time.

ArrBee

Ahhh, It's fairly easy to imagine customer data being on a laptop.

The only bit that I'd call out is the excuse given for the lack of encryption.
It's clearly made up to excuse the breaking of internal policy (FAQ says it's policy for password+encryption).

Pelvis

Jesus, rough crowd!! Eir have millions of customers and people are questioning WHY 37k customer's data was on a laptop, and in a public place? Of all the stupid ****in' questions...

As the previous poster said, the main issue here is the laptop wasn't encrypted, that's just ridiculous.

irishgrover

If I was a reporter and of a mind to be inquisitive I would do some digging and find out what company provide the software for software encryption for Eir (there are not that many and I think we could already guess who it is). I'm sure it would not be that difficult to find out. I would then ask them to comment on the fact that according to Eir their software updates "accidentally unencrypt" latops.......
This excuse reeks of what corporations later refer to as "we mispoke" when they have been found out....

SEPT 23 1989

I am one of the 37k

Received an e mail today

Johnboy1951

SEPT 23 1989 wrote: »

I am one of the 37k

Received an e mail today

Care to share the contents of the email? ----  without personal info of course

Dear......

I am writing to you to inform you of the loss of personal data of a number of eir customers. This issue has arisen as a result of the theft of one laptop, which was immediately reported to the Gardai. A comprehensive internal investigation and security review has been launched and the matter has been reported to the Office of the Data Protection Commissioner.

Unfortunately the stolen laptop contained a file containing some or all of the following information specifically relating to you: name, email address, eir account number and contact number. No financial data relating to you was stored on the laptop in question, or any other personal data.

While there is no evidence at this time that the data has been used by a third party, as a precaution we are writing to all those affected and advising them to be extra vigilant.

On behalf of eir I would like to apologise for any concern this may cause you.

eir treats privacy and protection of all data extremely seriously and our policy is that all company laptops should be encrypted as well as password protected. In this case the laptop had been decrypted by a faulty security update the previous working day, which had affected a subset of our laptops and has since been corrected.

More information in relation to this matter is available at www.eir.ie/customer-announcement

Yours sincerely
Catherine Lonergan
Catherine Lonergan

Seth Brundle

According to her LinkedIn profile Catherine Lonergan's role is "Managing Director Sales".
Strange how the letter isn't from their data protection officer whose details are not easy to find from Eir, but I believe is Mary Colhoun.

The J Stands for Jay

ArrBee wrote: »

Ahhh, It's fairly easy to imagine customer data being on a laptop.

The only bit that I'd call out is the excuse given for the lack of encryption.
It's clearly made up to excuse the breaking of internal policy (FAQ says it's policy for password+encryption).

I can't think of a reason why. Why do you think they needed it ? Genuinely curious to figure out why

The J Stands for Jay

Pelvis wrote: »

Jesus, rough crowd!! Eir have millions of customers and people are questioning WHY 37k customer's data was on a laptop, and in a public place? Of all the stupid ****in' questions...

As the previous poster said, the main issue here is the laptop wasn't encrypted, that's just ridiculous.

4% of the customer base being affected isn't nothing.

CeilingFly

Funny,  most people throw bills into their bin without a thought , but get all worked up over fairly basic information is in a data breach.

Its relatively minor compared to the major data breaches from places like tk maxx, clarks shoes and others where credit card numbers and full customer details taken - yet the whiners weren't on boards about that???

Johnboy1951

CeilingFly wrote: »

Funny,  most people throw bills into their bin without a thought , but get all worked up over fairly basic information is in a data breach.

Its relatively minor compared to the major data breaches from places like tk maxx, clarks shoes and others where credit card numbers and full customer details taken - yet the whiners weren't on boards about that???

Jeeze! 

What a stupid post!

The J Stands for Jay

CeilingFly wrote: »

Funny,  most people throw bills into their bin without a thought , but get all worked up over fairly basic information is in a data breach.

Its relatively minor compared to the major data breaches from places like tk maxx, clarks shoes and others where credit card numbers and full customer details taken - yet the whiners weren't on boards about that???

Who the hell gets paper bills from eir?

Pretty easy to do a chargeback on a credit card.

horgan_p

CeilingFly wrote: »

Funny,  most people throw bills into their bin without a thought , but get all worked up over fairly basic information is in a data breach.

Its relatively minor compared to the major data breaches from places like tk maxx, clarks shoes and others where credit card numbers and full customer details taken - yet the whiners weren't on boards about that???

SImple. Its because GDPR. The public, the media  (and some would say the commissioner) have all been waiting to make an example of someone.
And along came Eir.......

sexmag

horgan_p wrote: »

SImple. Its because GDPR. The public, the media  (and some would say the commissioner) have all been waiting to make an example of someone.
And along came Eir.......

To be fair the laptop wouldn't have solely been the purpose of these 37k customers, most likely the manager received a file to review,could have been a spreadsheet of data collected to help understand something better, this is their work laptop, many people take them home, it's possible he went to a beach to continue working off site and was mugged....who knows.

The data that was taken will have no effect on people, it's account numbers and contact preferences, no body will be able to do anything with it,especially with the new stringent gdpr q questions their customer service have. It's just lost data that's it and because it was reported immediately and depending on the circumstance they may not be fined at all

Everybody up in arms,there won't be identity theft or anything from this

Edit: You should all be a lot more concerned about Google tracking your movements even when you've deactivated your location for them to do that, someone knowing where you come and go is a lot more serious than your name and email on a laptop that a thief may or may not have access too

CeilingFly

Johnboy1951 wrote: »

CeilingFly wrote: »

Funny,  most people throw bills into their bin without a thought , but get all worked up over fairly basic information is in a data breach.

Its relatively minor compared to the major data breaches from places like tk maxx, clarks shoes and others where credit card numbers and full customer details taken - yet the whiners weren't on boards about that???

Jeeze! 

What a stupid post!

Jeeze, your name and email address is on a lost laptop 


Wow.

Utterly boring .

Purple Mountain

sexmag wrote: »

To be fair the laptop wouldn't have solely been the purpose of these 37k customers, most likely the manager received a file to review,could have been a spreadsheet of data collected to help understand something better, this is their work laptop, many people take them home, it's possible he went to a beach to continue working off site and was mugged....who knows.

The data that was taken will have no effect on people.

Work laptops should not be allowed off site- period.
If some manager needs to 'understand something better', do it in eir's office.
As for the data taken having no effect on people, 37k names, addresses and email addresses are a goldmine to advertisers and marketing companies.

Pelvis

Purple Mountain wrote: »

Work laptops should not be allowed off site- period.
If some manager needs to 'understand something better', do it in eir's office.
As for the data taken having no effect on people, 37k names, addresses and email addresses are a goldmine to advertisers and marketing companies.

Work laptops should not be taken off site??? Completely missing the point of a laptop, aren't you? If you enforce that policy then you force employees to use personal computers when working from home, which would be far more of a security risk.

Purple Mountain

Pelvis wrote: »

Work laptops should not be taken off site??? Completely missing the point of a laptop, aren't you? If you enforce that policy then you force employees to use personal computers when working from home, which would be far more of a security risk.

Or enforce employees to work in their designated employment office only.
Seriously what's the point of GDPR if an employee can take their computer to a 'public place' that has personal details of their customers.

Johnboy1951

I think the main concern is that a bunch of laptops had failed encryption, from the previous day, and at least one is allowed off premises in that state, and gets stolen.


I wonder what are the chances of all those events coinciding like that?

Pelvis

Purple Mountain wrote: »

Or enforce employees to work in their designated employment office only.
Seriously what's the point of GDPR if an employee can take their computer to a 'public place' that has personal details of their customers.

Do you work in the real world? You understand people work remotely, yes?

The problem is not that the laptop was in a public place, the problem was inadequate security measures on the laptop.

henryforde80

Purple Mountain wrote: »

Work laptops should not be allowed off site- period.
If some manager needs to 'understand something better', do it in eir's office.
As for the data taken having no effect on people, 37k names, addresses and email addresses are a goldmine to advertisers and marketing companies.

Work laptops should not be allowed off site.? Funniest comment I ever read.

The problem here is that Eir service desk are not encrypting all their laptops or I.T Security are not monitoring report logs to see if all laptops are encrypted. Must have lacklustre security standards

KERSPLAT!

Purple Mountain wrote: »

Or enforce employees to work in their designated employment office only.
Seriously what's the point of GDPR if an employee can take their computer to a 'public place' that has personal details of their customers.

Surely you realise that devices have to leave the office. Sure an email to a phone could have an Excel doc with thousands of customers details on it. Should a work mobile be used only in the office? Silly talk.

As was said, the issue is not the laptop being in a public place or it being lost/stolen really, it's the fact that it's not encrypted.

sexmag

Their statement said something like it being encrypted but due to an update it failed or deactivated the encryption,not sure how the happens and I'm sure the person with the laptop is no security experot so probably didn't know and it's an unfortunate coincidence it was stolen during the weekend this error happened.

The say it's password protect but not encrypted and I highly seriously highly doubt that this was a well thought out play from a criminal to make sure the encryption fails,the laptop is off site,steal it,have the password to access it to get the account number and email address of 37k customers. They'd have better luck fireing off random phishing emails from a bot.

I'm taking it as it is,combination of an IT failing and bad luck being stolen but with little to no damage to people and to state for the record I was effected by this

Seth Brundle

Johnboy1951 wrote: »

I think the main concern is that a bunch of laptops had failed encryption

I bet you a grand this is bullshít!

sexmag

Seth Brundle wrote: »

I bet you a grand this is bullshít!

Have you any evidence to support this bet?

A detailed report will have to be given to the DP Commissioner showing from to A to Z how it all happened, any discrepancies will be made public I believe and fines handed out accordingly

SSeanSS

sexmag wrote: »

Seth Brundle wrote: »

I bet you a grand this is bullshít!

Have you any evidence to support this bet?

A detailed report will have to be given to the DP Commissioner showing from to A to Z how it all happened, any discrepancies will be made public I believe and fines handed out accordingly

No evidence yet, just relying on their statement but it is complete bullshít. Security updates don't work that way. I hope this will come out publicly. As for the data breach, it's not that bad. If it was stolen and password protected I'm sure it will be wiped and sold.

Johnboy1951

SSeanSS wrote: »

sexmag wrote: »

Seth Brundle wrote: »

I bet you a grand this is bullshít!

Have you any evidence to support this bet?

A detailed report will have to be given to the DP Commissioner showing from to A to Z how it all happened, any discrepancies will be made public I believe and fines handed out accordingly

No evidence yet, just relying on their statement but it is complete bullshít. Security updates don't work that way. I hope this will come out publicly. As for the data breach, it's not that bad. If it was stolen and password protected I'm sure it will be wiped and sold.

Is it possible that when the laptop is in use and the encryption is bypassed, or off, or whatever that allows the user to use the laptop, that some corrupted security update, during that time, could prevent the encryption from being reset correctly when the user has finished using the laptop?

sexmag

Johnboy1951 wrote: »

SSeanSS wrote: »

sexmag wrote: »

Seth Brundle wrote: »

I bet you a grand this is bullshít!

Have you any evidence to support this bet?

A detailed report will have to be given to the DP Commissioner showing from to A to Z how it all happened, any discrepancies will be made public I believe and fines handed out accordingly

No evidence yet, just relying on their statement but it is complete bullshít. Security updates don't work that way. I hope this will come out publicly. As for the data breach, it's not that bad. If it was stolen and password protected I'm sure it will be wiped and sold.

Is it possible that when the laptop is in use and the encryption is bypassed, or off, or whatever that allows the user to use the laptop, that some corrupted security update, during that time, could prevent the encryption from being reset correctly when the user has finished using the laptop?

Its not a far stretch of the imagination but human error can do some funny things

ArrBee

McGaggs wrote: »

ArrBee wrote: »

Ahhh, It's fairly easy to imagine customer data being on a laptop.

The only bit that I'd call out is the excuse given for the lack of encryption.
It's clearly made up to excuse the breaking of internal policy (FAQ says it's policy for password+encryption).

I can't think of a reason why. Why do you think they needed it ? Genuinely curious to figure out why

There are many possible reasons.  and the fact that there are many which are not in any way sinister or breaches themselves causes me to think that the fact that data was on a laptop in the 1st place is not the issue here, or worth getting worked up about.

For example, 
Companies tend to use laptops instead of desktop PCs this century.  Any data you work on during the day is likely stored on said laptop at least temporarily for several reasons. (network performances causes issues in client apps when working on remote data sets; the ability to roam on the laptop whilst working locally and off the network; cloud storage auto syncing locally; etc)
It is impractical at a personal and business level to wipe all customer data from the local disk at the end of each day, and re-sync that in the morning or as you need to use it.  I know of no data protection law that prohibits the storing of such information on a local storage while allowing that same data on central storage.

Perhaps the data was there specifically to be worked on "from home" that evening.  Perhaps it was there because it had been worked on earlier in the day.
I don't think it is relevant.



Believe me, I am no defender of Eir and the way the conduct business and I am acutely aware of how many companies mistreat data and do not understand privacy/protection.  
I'm not dismissing the situation completely as a "ahh sure it was only minor".  Instead I'm breaking it down and saying data on a laptop is pretty normal but that data should be protected.

The only issues I see in this case are:
1. Disk was not encrypted which seems to be against company policy
2. The Laptop had the opportunity to be stolen in the 1st place.

gctest50

SSeanSS wrote: »

This would not happen on Microsoft or MacOS, wouldn't happen either on most Linux distributions

Where does it say it was OS encryption stuff?

SSeanSS wrote: »

There are no Microsft or MacOS updates that will unencrypt a disk, its complete lies!

Where does it say it was OS encryption stuff?

SSeanSS wrote: »

there is one update that will crash in Windows 10 if disk is encrypted but it certainly wont dis-encrypt it.

Where does it say it was OS encryption stuff?

SSeanSS wrote: »

Think of it like, how could a seperate update do this.. also if this were possible we'd have heard about it already!

telpis

The J Stands for Jay

Pelvis wrote: »

Work laptops should not be taken off site??? Completely missing the point of a laptop, aren't you? If you enforce that policy then you force employees to use personal computers when working from home, which would be far more of a security risk.

If a company has employees working Fromm home, they'd have them on their own PC using a VPN.

The J Stands for Jay

KERSPLAT! wrote: »

Surely you realise that devices have to leave the office. Sure an email to a phone could have an Excel doc with thousands of customers details on it. Should a work mobile be used only in the office? Silly talk.

As was said, the issue is not the laptop being in a public place or it being lost/stolen really, it's the fact that it's not encrypted.

Any half decent company blocks emails going externally if they have unencrypted attachments.

The J Stands for Jay

ArrBee wrote: »

There are many possible reasons.  and the fact that there are many which are not in any way sinister or breaches themselves causes me to think that the fact that data was on a laptop in the 1st place is not the issue here, or worth getting worked up about.

For example, 
Companies tend to use laptops instead of desktop PCs this century.  Any data you work on during the day is likely stored on said laptop at least temporarily for several reasons. (network performances causes issues in client apps when working on remote data sets; the ability to roam on the laptop whilst working locally and off the network; cloud storage auto syncing locally; etc)
It is impractical at a personal and business level to wipe all customer data from the local disk at the end of each day, and re-sync that in the morning or as you need to use it.  I know of no data protection law that prohibits the storing of such information on a local storage while allowing that same data on central storage.

Perhaps the data was there specifically to be worked on "from home" that evening.  Perhaps it was there because it had been worked on earlier in the day.
I don't think it is relevant.



Believe me, I am no defender of Eir and the way the conduct business and I am acutely aware of how many companies mistreat data and do not understand privacy/protection.  
I'm not dismissing the situation completely as a "ahh sure it was only minor".  Instead I'm breaking it down and saying data on a laptop is pretty normal but that data should be protected.

The only issues I see in this case are:
1. Disk was not encrypted which seems to be against company policy
2. The Laptop had the opportunity to be stolen in the 1st place.

I'm just not clear on the task that would require that data that would be fine outside the office.

flexcon

McGaggs wrote: »

ArrBee wrote: »

There are many possible reasons.  and the fact that there are many which are not in any way sinister or breaches themselves causes me to think that the fact that data was on a laptop in the 1st place is not the issue here, or worth getting worked up about.

For example, 
Companies tend to use laptops instead of desktop PCs this century.  Any data you work on during the day is likely stored on said laptop at least temporarily for several reasons. (network performances causes issues in client apps when working on remote data sets; the ability to roam on the laptop whilst working locally and off the network; cloud storage auto syncing locally; etc)
It is impractical at a personal and business level to wipe all customer data from the local disk at the end of each day, and re-sync that in the morning or as you need to use it.  I know of no data protection law that prohibits the storing of such information on a local storage while allowing that same data on central storage.

Perhaps the data was there specifically to be worked on "from home" that evening.  Perhaps it was there because it had been worked on earlier in the day.
I don't think it is relevant.



Believe me, I am no defender of Eir and the way the conduct business and I am acutely aware of how many companies mistreat data and do not understand privacy/protection.  
I'm not dismissing the situation completely as a "ahh sure it was only minor".  Instead I'm breaking it down and saying data on a laptop is pretty normal but that data should be protected.

The only issues I see in this case are:
1. Disk was not encrypted which seems to be against company policy
2. The Laptop had the opportunity to be stolen in the 1st place.

I'm just not clear on the task that would require that data that would be fine outside the office.

As another example:

Customer relations team member is off sick for a day and signs into the Eir network away via VPN from home to respond to customers complaint rather than wait another few days while they are off sick or back pile the load onto someone else in the office.

goes for lunch and forgets to sign out of VPN. Laptop stolen whilst on and open.Access to as much customer data as they want.... Temporarily mind you.

Lots of admin work gets done in these scenarios and is honestly quite common. So many scenarios this can happen to. 

You would be shocked at how easy any customer service agent can see your details.


Lastly to add. Even if this laptop was taken for 24 hours missing and they got it back. Even if the laptop was never turned on. Even if no access was made to your data, they still must inform you no matter what. So the language is scary saying" It has come to our attention your data may have been compromised"

When in fact contextually it never even came close to it. GDP laws and requirements of language makes it sound really more nasty than it probably is.

ArrBee

McGaggs wrote: »

Pelvis wrote: »

Work laptops should not be taken off site??? Completely missing the point of a laptop, aren't you? If you enforce that policy then you force employees to use personal computers when working from home, which would be far more of a security risk.

If a company has employees working Fromm home, they'd have them on their own PC using a VPN.

Thats an incorrect speculation.
That is a greater risk for virus infection.