Stolen laptops raise serious security issues
22-04-2008
by Bryan Collins
The computers belonged to Bank of Ireland (BOI) Life and were stolen from staff members between June and October last year. BOI reported the theft to the Data Protection Commissioner and the financial regulator last Friday.
"The investigation will focus on the justification for the personal data, including sensitive medical data in some cases, being placed on the laptops in the first place, the security arrangements in place and the exact circumstances which led to the delay in the reporting of this matter internally within the Bank of Ireland to the appropriate personnel for the taking of further action," the Data Protection Commissioner's Office said in a statement.
The information on the four BOI laptops contained the names, addresses, financial details and some medial records of its life assurance customers. BOI was criticised for the apparent delay in reporting the laptop thefts, and for using passwords instead of encryption techniques to protect the stored information.
"Given the nature of the information that was stolen, containing not just confidential financial details, but also sensitive medical data, this is unacceptable and represents a lamentable display by the bank," said the Labour Party's financial spokesperson Joan Burton.
Since learning of the theft, BOI has initiated a full internal investigation and started a programme to encrypt the information stored on all 5,000 of its staff's laptops.
"Encryption should be absolutely the minimum requirement in this day and age. The banks are saying that they are going to encrypt all their laptops, but the horse has already bolted. Unfortunately people don't respond until something happens and that's the way information security goes these days," said Colm Murphy technical director with information security consultancy Espion.
BOI will also have to examine how it can secure other portable devices such as mobile phones and PDAa, and it will have to ask why staff need to carry information around with them.
"Users should be reminded of the value of information. Organisations now need to have a look at the serious issue of data classification internally and have it flagged so when you as a user access a certain kind of information, that there is a pop-up or some message or some indication that that information is protected under law," Murphy told ENN.
"Data must always stay in the datacentre, only be accessed from secure devices and remain fully protected, so that customers can trust that their information is safe," added Chris Mayers Citrix chief security architect.
The bank has released some specifics about the information contained on the stolen laptops. In a statement it said that content relating to certain customers who obtained a quote or took out a Life Assurance policy with Bank of Ireland Life from the branches in Drogheda, Dunleer, Bagnelstown, Court Place Carlow, Stephens Green, Tallaght and Montrose, was contained on the laptops.
The bank plans to write to affected customers over the next few days and has said that anybody who is not a customer of these branches is not affected by this incident. It has also set up a helpline to handle any customer queries, through the Bank of Ireland Life Option on 1850 365 365. This customer helpline will be open from 9.00am to 6.00pm Monday to Friday.
The theft of the Bank of Ireland's computers follows on the loss of a laptop belonging to the Irish Blood Transfusion Service with the personal details of 170,000 blood donors. That computer was stolen when a staff member was mugged in New York.
Bank of Ireland is not the first bank to lose sensitive information. Earlier this month HSBC bank, in the UK, revealed it had lost a disc containing details of 370,000 of its customers. The data went missing after the bank used the Royal Mail to transport the disc from its offices in Southampton to Swiss Re.
