Three laptops belonging to Irish telco Eircom that were stolen in two separate incidents in December and January contained unencrypted data pertaining to 6,845 current and former customers, the company admitted today.
The lost data includes financial details of up to 550 customers of the telco’s mobile telephony subsidiaries, eMobile and Meteor. One of the laptops was stolen from an employee’s home and the other two from Eircom’s offices in Dublin.
Speaking on Irish morning radio, the Irish Data Protection Commissioner Billy Hawkes said this was one of the "most serious breaches" his office had ever seen due to the sensitive nature of the information, the long delay before Eircom informed customers, and the fact that a telecommunications company Eircom is subject to stricter data security laws.
Eircom said the delay in notifying customers was due to their need to find out what information was on the laptops. "That’s not acceptable," Hawkes commented. "Our normal delay in getting reports in is 24 to 48 hours which is our guideline for reports of such incidents, so I find it very surprising to hear that reason being given by Eircom."
In a statement, Eircom said that the personal data at risk includes details such as names, addresses, and telephone numbers as well as copies of documents from the application process such as passports, drivers licences, and other photo IDs. "In some cases financial data such as bank account, [debit] or credit card details is also at risk," Eircom wrote.
Eircom is reviewing its encryption policy in the wake of the theft, it says.