Bank of Ireland Security Breach - 10,000 Customers
April 22nd, 2008 by James
The theft of four Bank of Ireland laptops containing customers’ names and addresses, medical backgrounds, life assurance details and bank account details is big news at the moment.
The details of 10,000 customers stored unencrypted on a number of laptops that were stolen - one from a BoI branch, and three from cars on separate occasions. I won’t even think about the laptop that is stolen from a branch - if somebody can walk into a bank and steal a laptop then obviously there is a much bigger issue here. But I’m stunned by the theft of laptops from cars - were these sitting on the passenger seat while some guy went in to Spar for his breakfast roll? Many companies train their employees on how to avoid getting their laptop stolen. Some high-tech approaches include putting the laptop into the boot of the car before leaving the office. But when you’re dealing with something as sensitive as we have here, is it even necessary for the information to leave the relative saftey of BoI HQ? Why were employees of the bank carrying such sensitive information around in their car? Why was it not encrypted? The fact that this was allowed to happen in the first place shows a lack of security awareness in the bank, and an inadequate security policy in place.
It gets worse. Justin Mason points out that the breach did not come from the bank at all - it was the DPC who first raised the issue. As we mentioned in relation to the jobs.ie hack, there are currently no laws for mandatory disclosure in Ireland. So if the bank does not take responsibility and inform its victims of the theft (out of good will or otherwise), how can we know that this has not happened before? They have admitted that this is not a once-off; these four laptops were stolen on separate occasions.
So what now for the 10,000 people who now have their medical details compromised? RTE references a statement by Mr Burrows from Bank of Ireland:
Mr Burrows, who was speaking in Belfast at the launch of new bank notes, admitted that the theft had been deeply embarrassing for the bank. But he said the bank is confident that none of the information stored on the computers has been illegally used.
How can the bank be confident that none of the information has been used illegally? They are monitoring the BoI accounts of those 10,000 victims, but do you think the only potential scam is to withdraw money? These thieves are resourceful enough to rob a bank, could we not assume that they’re capable of taking some medical records and personal details and selling them to professional scammers who are far more experienced in matters of fraud than anyone who works at BoI?
The issue here is an underlying lack of responsibility from BoI from start to finish. They were irresponsible when it came to protecting your data. They were irresponsible when they opted not to disclose the breaches initially. And now they’re being irresponsible as they play down the potential impact, moving to dismiss legitimate concerns that victims might have.
