Eircom, the company that dominates telecommunication services in Ireland, has revealed two data breaches that affect over 7,000 in total. In one instance, two laptops were stolen from Eircom’s offices. In the other, one laptop was stolen from an employee’s home. None of the laptops were protected with full disk encryption like AlertBoot despite existing corporate encryption policies.
6,845 Customers and 686 Meter Employees
In total, 7,531 people were affected by the two separate incidents (a situation that could easily have been avoided by the use of encryption software).
The first data breach, affecting 6,845 customers, occurred during 2011’s year-end festivities. Two laptops were stolen from Eircom’s offices in Dublin.
Personal data for 6,441 current and former eMobile business customers, from August 2010 to December 2011, were lost in the process. Of these, 146 customers had their financial data breached, including bank account details. Most clients’ names, addresses, and phone numbers were breached as well.
In addition, 404 Meteor post-pay customers who applied for services via the internet, from January 2011 to July 2011, were affected as well. For these customers, “a range of documents they used to prove their identity in their applications – like passport or drivers licence details, photo IDs or utility bills – were included,” according to rte.ie. In some cases, bank account, Laser debit card, or credit card details were included.
The second breach, which also occurred in December 2011 and affects 686 Meteor employees, occurred at an employee’s home. It appears that only names and addresses were stolen.
Flexibility Requires Resolute Policies…and Follow Up
As noted earlier, none of the laptops were protected with computer encryption software, despite its use being a company policy.
While Eircom has an encryption policy for its laptops it is understood none of the three stolen laptops were encrypted. [Company head of communications Paul] Bradley said this incident “shouldn’t preclude employees working in a flexible matter” in being able to bring laptops home with them. [thejournal.ie]
I agree with Mr. Bradley. And disagree.
Every company in the world is looking to make the move, or has already made the move, to a flexible, mobile workforce, fully or partially. Such flexibility allows employees to be more productive and, more often than not, leads to a better quality of life.
However, that transition is also marked by companies properly securing communications and data. If the security is not there, employees should be stopped from taking laptops outside of physically secure perimeters (which, obviously, doesn’t always prevent a data breach, which the first data breach clearly demonstrates. However, it definitely reduces the occurrence of such incidences).
The transition to a flexible workplace requires the use of data security tools and programs, the same programs the company has penned into its policies. While these two breaches shouldn’t preclude all employees from working in a flexible manner, it’s only true for those who have the proper data security solutions in place. For everyone else, they should be precluded from working in a flexible manner.
I mean, isn’t that what Eircom’s own policies imply, if not indicate directly?
The bigger question that’s not being discussed is, why were these laptops not encrypted? And how many more are out there?
Disk Encryption at The Enterprise Level
It is very apparent to me that regular audits and monitoring of computers would have prevented these two data breaches. Carrying out such audits is not difficult — or at least, it does not have to be difficult. Enterprise-level disk encryption generally tends to come with encryption audit reports.
For example, in AlertBoot, you could say the encryption model revolves around the reports. Because we offer disk encryption on-demand in the cloud — allowing any IT departments or end users to easily encrypt their laptops wherever they might be, as long as a temporary internet connection is present — it is imperative to keep track of which laptops are encrypted, more so for us than other encryption providers.
This model also facilitates the reporting on which laptops are secure, which ones are not, when they were last seen, etc. — any metrics that can be tracked and be used to prove that a device was properly protected (or not) in the event a laptop goes missing.
Eircom is, as far as I can tell, a gigantic company. A virtual monopoly is how some put it, seeing how it’s a newly privatized (relatively speaking) state-owned company, and has managed to hold on to the majority of its market. If they’re not using enterprise-level encryption…well, that’s not really a problem; it just means they’ve opted to do things the hard way (such as encrypting laptops one by one, literally).
But, if they do have enterprise-ready encryption, these two breaches seem to indicate that someone is not doing their job (and I’m not referring to the employees who used the laptops that were stolen).
Related Articles and Sites: