Eircom Criticised Over Stolen Data by Commissioner

February 10, 2012 Updated: September 29, 2015

DUBLIN – Telecoms provider, EIRCOM, has notified the Data Protection Commissioner, Mr Billy Hawkes, over a potential data breach for up to 6,845 eMobile and Meteor customers.

Mr Hawkes has been critical of Eircom’s tardiness in reporting the breach which happened in December 2011. The data was contained on three unencrypted laptops which were stolen from Eircom’s offices at Parkwest, Dublin and also from the home of an employee. 

A statement from the telecoms company said “the incidents were immediately reported to the Gardai and two separate investigations are ongoing. There is no evidence at this time that the data at risk has been used by a third party.”

“As a precautionary step, we have contacted the Irish Banking Federation, who has notified their members of the potential risk to data for affected eMobile and Meteor customers,” said Eircom.

However, speaking on RTÉ’s Morning Ireland this morning, Billy Hawkes said “On the scale of breaches that he deals with at the Data protection office, it would be one of the most serious breaches.” Mr Hawkes gave two reasons for the seriousness, the first was the nature of the financial data on the unencrypted laptops which he said was ‘putting people at risk of identity theft.’ Secondly, the long delay in telling people that their data had been compromised. Mr Hawkes said that “this meant that those involved did not have ample opportunity to protect themselves.”  

Mr Hawkes said he was critical of Eircom because they were a communications company and thus subject to higher security standards by law than other companies.

When asked if Eircom’s delay in contacting customers was due to their trying to assertain what data was on the laptops, Mr Hawkes said that this was not a valid excuse, “our normal delay in getting in reports is 24 to 48 hours, which is our guideline for reports of such incidents.”

With respect to the issue of data not being encrypted, Mr Hawkes said when customer data is being stored on a laptop then it is “bog standard security” to have it encrypted. “It’s extremely surprising that in two separate incidents Eircom laptops were not encrypted,” concluded Mr Hawkes.