It's not great when any organisation loses a laptop, but if the contents of the computer's hard drive have been fully encrypted and a strong password has been used it's hardly the end of the world. After all, the chances of a criminal being able to access any sensitive information on the mislaid or stolen device is remote - and the cost should be limited to the purchase of a replacement. But things are much worse if the lost laptop wasn't encrypted, and contained the personal details of thousands of your customers. That's what Irish telecoms operator Eir had admitted happened to it earlier this month, blaming a "faulty security update" for leaving unencrypted a staff member's laptop which was stolen outside of one of its offices.
"Eir treats privacy and protection of all data extremely seriously and our policy is that all company laptops should be encrypted as well as a password protected. In this case the laptop had been decrypted by a faulty security update the previous working day, which had affected a subset of our laptops and was subsequently resolved."
I must admit that I find it somewhat hard to comprehend how a borked security update would leave a hard drive unencrypted (unless that security update was actually pushed out to encrypt a laptop's drive in the first place, and failed), but even if that explanation is accepted one has to wonder what on earth a computer containing the personal details of 37,000 users was doing outside of Eir's premises. It's hard to imagine any scenario when it would be necessary to store such data on a laptop, rather than holding it on a secure server. The storage of sensitive personal information about customers should always be on a central server, which can be protected with various defensive layers, rather than a laptop which by its very nature can be easily mislaid or stolen. And if it is necessary to access sensitive data from outside the organisation by remote workers, a better process would be for staff to authenticate their identities to view customer information rather than have it stored on (in this case) an unencrypted, insecure laptop hard drive. Eir's customer advisory says that the exposed information may include customers' names, email addresses, Eir account numbers, and contact phone numbers. In the past such stolen information has been exploited by criminals making scam phone calls and sending out bogus emails, purporting to be from the breached company, in an attempt to gather more personal data (including perhaps payment information) in an attempt to con innocent victims. As a result, Eir customers would be wise to be wary of unsolicited phone calls, letters, and emails they might receive purporting to come from the company (even if they quote personal information such as account numbers) as it may have been sent by fraudsters. Of course, it's possible - and Eir is keen to emphasise this point - that the theft of the laptop was motivated more by someone interested in wiping it and selling it on down the pub, rather than identity theft. Let's hope, for Eir's sake and that of its customers, that that is the case in this instance. Eir says that it is reviewing its IT and data protection policies in an attempt to prevent a similar situation from occurring again. The company says that it has reported the incident to the Data Protection Commissioner and to Irish police. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.