You’ve probably already heard the news from yesterday evening about the theft of four laptops from the offices of Bord Gáis in Dublin. If not, a burglary took place on Friday 5th June at Bord Gáis offices in Dublin where the laptops had been stolen. It has been confirmed that account numbers and personal details of 75,000 customers had been held on the laptops.
The news doesn’t really come as a surprise to me especially after the recent news of 13 laptops stolen in Belfast and another 15 stolen from the HSE, all within a matter of weeks. What does surprise me though is the incorrect news about this incident and the lack of information provided to the public.
Bord Gáis has released an official statement on their website about the incident which you can read here.
Taking a look over the statement there are a number of things that just don’t sit right with me.
What information was stolen?
The information on one of the stolen laptops contains names, addresses and bank account details of the affected customers.
Question, why was bank account details of customers being held on a laptop? I can’t think of one reason why ANY company would need to keep bank account details of their customers on a laptop, thats being careless.
What information was on the laptops?
Of the four laptops stolen, one had hard drive encryption and the remaining three had sophisticated password protection.
Only one hard drive was encrypted? It seems the some media are reporting this incorrectly as RTE News and Irish Examiner have stated only one laptop was NOT encrypted.
I’d love to know what sophisticated password protection was being used by Bord Gáis or is that just an excuse to the public who knows no better about passwords? I’ve already said passwords can be cracked when the Belfast Civil Service used this excuse.
One of the laptops with password protection contained the details of Bord Gáis Energy’s residential electricity customers who pay via direct debit.
So the laptop that contained banking details of customers was not encrypted, why?
What is the likelihood this information will be misused?
Typically in incidents involving the theft of a laptop it is completely cleaned and sold on within 24 hours.
Completely cleaned? So the thieves are highly experienced in removing data completely from hard drives? I doubt it. Of course this is also assuming the thief does not power on the laptop, does not try to bypass the user account or attempt to crack the password.
We have been reliably informed that there has not been any case in Ireland where data that was contained on a stolen or lost laptop has been used fraudulently, and because of this we believe the likelihood of the information being misused is minimal.
I disagree 100% with this statement and would like to know where this reliable information came from.
There is no mandatory breach disclosure in Ireland for companies who experience such incidents. It’s impossible to say how many laptops get stolen from businesses in Ireland each week/month/year so it’s impossible to tell if there has been any cases in Ireland where data that was contained on a stolen or lost laptop had been used fraudulently.
There is no excuse for company, as large as Bord Gáis, to fail their customers like this but unfortunately with the lack of laws to protect customer’s data we’ll be seeing more and more of these incidents in the future.
If you are part of a company that deals with sensitive customer information contact us to demo our data encryption/auto destruction service.
Related posts:
