RTE News tonight reported that Bank of Ireland has admitted to having four laptops stolen some time last year resulting in the personal data of 10,000 of the bank’s customers being exposed. The laptops were stolen from the bank’s Life Assurance division. It is reported that one laptop was stolen from an employee’s car.
The data included personal details such as medical reports, addresses and bank account details. Basically all the ingredients an identity thief could wish for.
Details on the breach are still sketchy but so far the bank has admitted that while the laptops were password protection the data on the laptops were not encrypted. However, one must ask the question why that amount of personal data was allowed to be downloaded onto laptops without encryption installed on those machines?
So far none of the affected customers have been contacted and despite the breach occurring last year the Data Protection Commissioner and the Financial Regulator were only contacted last week. As of the time of writing there are no details on the banks website for customers to refer to.
This breach is in stark contrast to the prompt notification that the Irish Blood Transfusion Board and Jobs.ie gave to impacted clients when they too recently suffered breaches.
The lack of notification to customers, especially in the light of the sensitivity of the data exposed, reinforces my call to the Irish Government last year to introduce mandatory breach disclosure laws here in Ireland.
As more data becomes available I will update the Blog accordingly, in the meantime perhaps you may want to read the “Lessons Learnt from the IBTS Breach” in the event you end up having to deal with a data exposure in your company. Don’t forget to read our free white paper on “Incident Response“.