Software Solutions for the Human Capital Industry

They’re coming out of the woodwork now. The latest in the Bank of Ireland saga is that they have admitted that another laptop was stolen… seven years ago.

• 2001: Bank of Ireland laptop gets stolen. Unencrypted, including contact information, dates of birth, addresses, bank account details, medical histories and investments. They tell nobody.
• 2002: ??
• 2003: ??
• 2004: ??
• 2005: ??
• 2006: ??
• 2007: Bank of Ireland laptops stolen on at least four occasions, containing personal information of tens of thousands of people. Unencrypted, including contact information, dates of birth, addresses, bank account details, medical histories and investments.
• 2008: Bank of Ireland admit the theft of four laptops, but initially acknowledge only part of the impact. The media swoops, the public responds, pointy-haired bosses get an earful, and basic policies from Security 101 (like encrypting laptop hard drives) are introduced.

There are a lot of conclusions that could be drawn from this timeline. Here are some of mine:

• The Irish Guild of Laptop Thieves must have called a four year strike between 2002 and 2006 as protest against rising house prices in Ireland.
• Institutions like Bank of Ireland can repeatedly get away with disastrous privacy leaks simply by not telling anyone.
• Nothing ever gets done until it’s in the spotlight and pressure is applied.

Bank of Ireland has once again played down the potential threat of this theft, stressing the fact that the data stolen is seven years old. The HSE files in the field were 25+ years old; it doesn’t matter if the data is old. Data such as name, date of birth, address, bank details, medical history, etc., do not change regularly. And if my details are sitting in a scammer’s database, I don’t care how up to date they are.

Bank of Ireland are playing down the potential threat simply because it is in their interest to minimise this problem - the one they didn’t want to admit to in the first place. We need the Data Protection Commissioner to be informed of these instances when they happen in order to independently investigate and assess the potential threat.

It has been a high profile week for identity theft issues in Ireland. First we heard about the Bank of Ireland laptop data theft, prompting Glandore Systems to call upon the Irish government to introduce mandatory disclosure laws (responding to this breach and others recently, such as Jobs.ie and the Blood Transfusion Service). Somebody at Glandore Systems called “James Gavin” was quoted in the Irish Examiner speaking on the issue - he must be a new hire or something

The need for mandatory breach disclosure was validated only a few days later, as Bank of Ireland have admitted to the issue being much larger than they initially said. Now 30,000 users are affected, from 29 different branches. I will only reiterate that for all we know there could be 300,000 users affected - if the bank has no legal obligation to disclose data theft then how can we expect to know?

Mirroring the disregard that a major Irish bank shows for its customers’ privacy, now we find out that the Health Service Executive has dumped confidential confidential medical files in a field.

The files contain detailed medical histories of people who were treated at Cork Regional Hospital, the hospital now known as Cork University Hospital, and at St Finbarr’s Hospital in the city.

Data includes the names, addresses, dates of birth and medical conditions of patients treated in the 1970s and early 1980s.

The HSE says that it “does not know how many”. Between the Regional Hospital and St. Finbarr’s, that potentially covers just about every Cork person over the age of 25 - including me. Once again, a major institution in Ireland has put the population at risk to identity theft and other fraud. How will the government respond? A bank doesn’t even bother to encrypt its files. The health service dumps confidential files in a field. Institutions like Bank of Ireland and the HSE will only introduce stricter security policies if the government brings in some laws to protect us from their neglect.

Another Cork-based software company, You Get It Back puts things into perspective by using the Washington Post’s estimates to gauge how much a thief can gain from selling personal details on the black market. In the case of the backup tapes that were stolen from the University of Miami last week, it amounts $28 million! With figures like this, even your average laptop thief on the street is going to wake up to the fact that there is big money to be made if you can get your hands on some juicy personal details. Institutions need to be held accountable when they allow theft like that to occur, but they’re never going to be held accountable if they don’t even have to admit to the data loss in the first place!