This week has seen two more instances of customer data losses by two more Irish organisations. These are the 12th and 13th incidences of data loss tracked in this running total I’m keeping – Who has lost their customers personal data?
The Health Service Executive (HSE) in Roscommon were the first to be outed. This is the 4th entry of the HSE on the list. According to this article:
Yesterday it was revealed that the Health Service Executive (HSE) and gardai were investigating the theft of 15 laptops in Roscommon town.
The HSE confirmed tonight that information on one unencrypted laptop contained sensitive details relating to a social worker’s case notes involving nine families.
The larger second incident affected Bord Gais Energy, and many of their new electricity customers. According to the same article:
A laptop containing the bank account details of 75,000 Bord Gais electricity customers has been stolen, it was revealed tonight.
The energy company confirmed that the laptop – which was not encrypted – was one of four taken during a burglary at its Dublin offices 12 days ago.
The usual questions have to be asked here – and unfortunately, many of us watching such data losses and data protection screw ups are tired of asking them.
While it’s understandable that a social worker would have case notes on a laptop, it’s ridiculous that the laptop wasn’t encrypted. Last September, the HSE was impacted in exactly the same way – this is the reporting from that occasion:
The Office of the Data Protection Commissioner said it is surprised that people still carry around laptops with sensitive information, which is not encrypted.
That’s 9 months ago. Why weren’t the remaining laptops in the HSE encrypted since then? I know there’s a lot of laptops in such a big organisation, but surely 9 months was enough time to protect them all.
The more egregious foul up here is that of Bord Gais Energy. There is no legitimate reason that would necessitate a company such as this to store the personal banking details of their customers on a laptop.
The fact that the laptop wasn’t encrypted compounds this balls up. And the fact that the laptop was stolen from inside their office doesn’t negate that fact. Any responsible company nowadays ensures that no sensitive data is stored on portable devices at all, and where this unavoidable, precautions are taken to ensure that devices are encrypted, and further, other measures can be taken to ensure such data is deleted either automatically or remotely.
I have a couple of serious concerns here.
Firstly, the Data Protection Commissioner was complicit with Bord Gais Energy here in keeping this data theft secret and leaving 75,000 customers hanging out to dry and left blissfully unaware that their bank details were in the hands of criminals.
Secondly, from the coverage that I heard on RTE Lunchtime news, it’s most likely that Bord Gais Energy are unlikely to get anything more than a slap on the wrists from the Data Protection Commissioner for this negligence. The DPC, who have been helpful to ValueIreland.com and our information requests in the past, are unfortunately doing the classic National Consumer Agency cop-out of “working with” Bord Gais Energy rather than actually defending the interests of consumers – the primarly purpose of DPC.