« Confidential Medical Files “dumped in fields in Co Cork”
Russian Gang Launches New ID Harvesting Tool for Job Boards »

Confidential Laptop Stolen… 7 Years Ago

May 13th, 2008 by James

Laptop
They’re coming out of the woodwork now. The latest in the Bank of Ireland saga is that they have admitted that another laptop was stolen… seven years ago.

  • 2001: Bank of Ireland laptop gets stolen. Unencrypted, including contact information, dates of birth, addresses, bank account details, medical histories and investments. They tell nobody.
  • 2002: ??
  • 2003: ??
  • 2004: ??
  • 2005: ??
  • 2006: ??
  • 2007: Bank of Ireland laptops stolen on at least four occasions, containing personal information of tens of thousands of people. Unencrypted, including contact information, dates of birth, addresses, bank account details, medical histories and investments.
  • 2008: Bank of Ireland admit the theft of four laptops, but initially acknowledge only part of the impact. The media swoops, the public responds, pointy-haired bosses get an earful, and basic policies from Security 101 (like encrypting laptop hard drives) are introduced.

There are a lot of conclusions that could be drawn from this timeline. Here are some of mine:

  • The Irish Guild of Laptop Thieves must have called a four year strike between 2002 and 2006 as protest against rising house prices in Ireland.
  • Institutions like Bank of Ireland can repeatedly get away with disastrous privacy leaks simply by not telling anyone.
  • Nothing ever gets done until it’s in the spotlight and pressure is applied.

Bank of Ireland has once again played down the potential threat of this theft, stressing the fact that the data stolen is seven years old. The HSE files in the field were 25+ years old; it doesn’t matter if the data is old. Data such as name, date of birth, address, bank details, medical history, etc., do not change regularly. And if my details are sitting in a scammer’s database, I don’t care how up to date they are.

Bank of Ireland are playing down the potential threat simply because it is in their interest to minimise this problem - the one they didn’t want to admit to in the first place. We need the Data Protection Commissioner to be informed of these instances when they happen in order to independently investigate and assess the potential threat.

This entry was posted on Tuesday, May 13th, 2008 at 4:15 pm and is filed under Identity Theft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply