Eir announced yesterday, 21st Aug that it had suffered a serious data breach when one of it Laptops was stolen outside the company office on the 12th August. Eir reported the breach to the Data Protection Commissioner and the Gardai. Eir say that there is no evidence at this time that the data concerned has been used by a third party. By the way for what it’s worth you can find out if any of your data has been leaked by any company with this handy tool.
Eir have begun sending letters to all customers affected by the data breach today. Why it took 10 days to inform customers is surprising.
How did it happen?
The Laptop was unencrypted and contained files of a PID nature (Personable Identifiable Data) i.e. customer names, email addresses and Eir customer numbers of 37,000 customers. The Laptop is still password protected to gain access, but this is not a difficult step to overcome for an even inexperienced cyber criminal.
Crucially no financial data was contained on the laptop. Eir say company policy is that all Laptops should be encrypted and password protected. However in this case the Laptop in question was at the time un-encrypted due a faulty security update the previous day de-encrypting the Laptop. Questions should be asked to the level of testing that was performed on the security updates prior to being rolled out.
Additionally, it should be asked why the files were stored on the Laptop itself and not left on a secure company network folder. Most companies have a policy stating that files containing sensitive data should not be downloaded and stored onto local drives.
What do I need to do to protect myself?
Even though no financial information was present on the stolen Laptop, criminals can still use the data to build up a full profile of you, filling gaps from other data breaches or sources.
So Firstly, you should change your online Eir account password. If the old password was used for other websites and apps, change those also. Good practise is to have different passwords for all your web sites and apps where you have registered. Remembering them all is practically impossible of course, so use a good password manager tool to store all your passwords e.g. 1Password.
Secondly, read closely the communication sent to you by EIR and act on its recommendations.
Thirdly, keep a close eye on your bank accounts for any suspicious activity over the coming weeks and months. Anything unusual inform your bank and Eir.
We will be keeping an eye on the story as it develops so watch this space.