Bank of Ireland loses four unencrypted laptops
Published: 23 Apr 2008 16:20 BST
The Bank of Ireland has lost four laptops containing sensitive customer details of approximately 10,000 people.
The laptops were not encrypted, according to a Bank of Ireland spokesperson. Customer details lost include bank accounts, names, addresses and medical details. The laptops only had standard username and password logins by way of security, according to the spokesperson.
Customers affected are those who took out or obtained a quote for a life-insurance policy from Bank of Ireland Life from branches in Drogheda; Dunleer; Bagnelstown; Court Place, Carlow; Stephen's Green; Tallaght; and Montrose last year, according to a statement on the Bank of Ireland website.
The four laptops were all stolen between June and October last year. Three were stolen from the boots of cars, said the spokesperson. The Bank of Ireland is only now starting to inform customers by letter as to whether they may have been affected.
According to the spokesperson, the thefts were reported to the Garda at the time but not to senior management.
"The issue arose in February of this year as part of routine compliance monitoring. That was when the issue came to light, at which time, a full investigation began; we had to do a full investigation [before informing customers]. We will be writing to customers in the next number of days," said the spokesperson.
Jason Hart, European chief executive of encryption company CryptoCard, told ZDNet.co.uk that, as well as customer details being compromised, the laptops themselves could hypothetically have been used in an attack through virtual private network (VPN) clients.
Read this
PGP: Encryption alone no cure for data breaches
In the fight against security breaches, PGP CEO Phil Dunkelberger cautions that encryption by itself is not the answer...
"You have unencrypted laptops being lost and they all have VPN clients into the business — that's a bigger risk," said Hart. "You can crack usernames and passwords easily, and usernames and passwords are [usually] the same to access other systems."
The Bank of Ireland spokesperson said there had been no unauthorised attempts to log into the bank's systems, and added that the bank had seen "no evidence of fraudulent activity" on any of the affected customers' accounts.
The spokesperson declined to comment as to whether the bank had changed its VPN clients as a result of the laptop losses but said that it was in the process of implementing encryption on all of its laptops, and that the encryption process would be completed "by the end of the week".
Ireland's data-protection commissioner, Billy Hawkes, has been informed, as well as other regulators, added the spokesperson.
- The top five internal security threats
- Information commissioner to act against HMRC, MoD
- Systemic failure blamed for HMRC data loss
- Virgin Media loses 3,000 customers' details on CD
- MoD announces data-protection action plan
- PGP: Encryption alone no cure for data breaches
- Keeping mobile data from going walkabout
- Justice minister urges overhaul of gov't data handling
- Research: Data privacy a low priority for CIOs
- NHS trust loses 21,000 patient details on laptop
- Scottish Ambulance Service loses encrypted 999 disc
- Whitehall reports 30 data losses since November
Did you find this article useful?
3 out of 3 people found this useful
- Share this article:
