Eir is back in hot water again with the Data Protection Commissioner after the company issued a statement stating that it had lost an unencrypted staff laptop containing the details of 37,000 Eir customers. Eir has said that the data contained names, email addresses and customer account number, but that no financial details were compromised in the breach.
Eir is no stranger to data breaches, and has reported having multiple laptops with customer data lost or stolen in the past
The telecoms giant has claimed that all laptops are encrypted by default, and blamed a faulty security update for the laptop being unencrypted at the time it was stolen.
“Eir treats privacy and protection of all data extremely seriously and our policy is that all company laptops should be encrypted as well as a password protected. In this case the laptop had been decrypted by a faulty security update the previous working day, which had affected a subset of our laptops and was subsequently resolved.”
However, some security experts have expressed some doubts about this statement. According to respected infosecurity specialist Graham Cluley, “I must admit that I find it somewhat hard to comprehend how a borked security update would leave a hard drive unencrypted (unless that security update was actually pushed out to encrypt a laptop’s drive in the first place, and failed), but even if that explanation is accepted one has to wonder what on earth a computer containing the personal details of 37,000 users was doing outside of Eir’s premises. It’s hard to imagine any scenario when it would be necessary to store such data on a laptop, rather than holding it on a secure server”
Nor is Eir any stranger to data breaches involving lost laptops containing customer data. In 2011, two Eircom (as they were then known) laptops were stolen containing the details of nearly 7,000 Meteor and eMobile customers. Eircom only revealed this information to the Data Protection Commissioner several months afterward, despite the financial details of at least 550 customers also being compromised in the breach.
In this latest breach, Eir notified the Data Protection Commissioner and affected customers immediately, a welcome change from their ways of old, and perhaps due in part to the GDPR – the European data protection regulation with the power to hand down very large fines to Eir should they not notify the DPC within 72 hours of the discovery of a breach.
Eir has also traditionally been plagued with phishing scams directed towards its customers, who are being warned to be extra vigilant of any unsolicited phone calls they may receive from people purporting to be from the company, even if they are able to quote personal information such as phone numbers or even account numbers – as this data may be known to criminals after being compromised in the breach.
Eir are keen however to point out that there is currently no evidence that the comprised data is being used maliciously by a third party, but only time will tell if this is the case or not.