The eir laptop theft that was revealed this week was
pretty … actually … it was really bad and deeply embarrassing for eir. However details that emerged from the statement by the Data Protection Commission showed that it could have been a LOT worse. 1,500 Laptops worse!
First up though I did a short video recently explaining why loss of mobile devices (including laptops) is a Data Breach under #GDPR. Have a quick watch and then come back here.
Why was the laptop not encrypted?
They’ve not specified exactly what happened, but I surmise that eir use a third party package to secure their mobile devices and some of the many problematic monthly updates that Microsoft released in July caused them issues. It must have been bad for them to have to decrypt 1,500 laptops. In fairness to eir, they at least notified the Data Protection Commission (DPC) about this on the 10th of August.
What happened next?
At some point between 10th August and last weekend one of the 1,500 unsecured laptops was stolen outside. In other words an employee/contractor removed one of the laptops from eir’s premises and then fell victim to a thief.
What was on this eir laptop?
According to the report from the DPC – names, email addresses, mobile numbers & account numbers for 36,642 customers and names & contact details for 177 eir employees.
That doesn’t sound too bad … does it?
As I say to people in my training, it’s all about the context. If you are a florist and you lose a list of names and addresses of your customers, there may not be a significant risk to those individuals in respect to their rights and freedoms. So you probably won’t need to notify them about the breach. It might be a borderline call as to whether you would need to notify the DPC. I would say you should.
Now lets say that list of names and addresses are for clients of a sexually transmitted disease clinic. The context now shifts dramatically as there is now a significant risk to the individuals rights and freedoms. If that list became public, there would be much embarrassment to those people. So you would definitely be reporting to the DPC and also notifying the affected people.
In the eir laptop case, the fact there are emails and account numbers is quite concerning. If an evil doer uses all of the available information, they could craft an extremely plausible phishing e-mail, which they could con the victim into doing something that is not in their best interests.
Also, if the bad guys combined the detail from the eir laptop with some information they gleaned from answers to fun quizzes, they may be able to impersonate the eir customer to an eir customer service agent and effectively take over the customers account.
What should have happened?
Once eir were aware that all of these devices were unsecured, they should never have been allowed to leave the premises. They should have been locked to the employees/contractors desks and the keys stored in the kennel of a hungry rottweiler until the issue with the patch was rectified.
What have eir done?
Well they had been busily working away re-encrypting their laptops and according to the DPC’s statement they had all but 46 completed as of 22nd August.
They have also notified the affected customers, by email from a “no-reply” email address, which is pretty crappy. They really should have a specific email address and freephone telephone number for those impacted customers.
What should we all learn from this?
The most important thing we should all learn from this eir laptop theft case is that, if you have a mobile device of any type, even if it doesn’t currently have personal data on it, encrypt the thing! If it’s not encrypted, keep it securely stored in your premises – don’t ever take it off premises.
If you want to learn more about good security practice send an e-mail to info@L2CyberSecurity.com and we can talk to you about training and practical steps to improve your cyber security set-up.