Eircom, Meteor, Emobile users - Laptop data breach.

zapata

http://breakingnews.ie/ireland/potential-data-breach-as-eircom-laptops-stolen-539298.html

Potential data breach as eircom laptops stolen

10/02/2012 - 07:00:44
Eircom has today reported a potential data breach for customers following the theft of three laptops.

Two of the computers were stolen from eircom's offices at Parkwest in Dublin between December 28, 2011 to January 2, 2012, and the third was taken from the home of an employee on December 19. The data on all of the laptops was not encrypted.

The company says the theft has resulted in a potential data breach for more than 6,845 eMobile and Meteor customers, as well as 686 employees.

"Specifically, there is a potential data risk for 6,441 current and previous eMobile business customers, dating from August 2010 until December 2011," said a company statement regarding the Parkwest theft.

"The data at risk for the vast majority of customers is personal data including names, addresses and telephone numbers. There is a small group of approximately 146 customers where financial data including bank account details may be at risk.

"Separately, there is also a risk to data held within 404 Meteor customers. The data specifically concerns post-pay customers who applied online between January and July 2011.

"The personal data at risk includes details such as an applicant’s name, address, and telephone numbers as well as a range of documentation used to support a customer application such as passport and drivers licence details, various photo ids or utility bills which all may have been used to establish proof of identity.

"In some cases financial data such as bank account, laser or credit card details is also at risk."

The theft has sparked a review of the firm's encryption policy.

Gardaí have been notified and two separate investigations are underway. The company said that there is no evidence at this time that the data at risk has been used by a third party.

The company said that it is now working to contact anyone who may be affected by the problem.

"Eircom treats privacy and protection of all data extremely seriously and we have taken the following pro-active measures to address the situation," said a company statement.

"More than 20 customer care agents and account managers have initiated a contact programme to telephone all 550 customers whose financial data may be at risk.

"The agents will notify the customers of the risk and inform them of the specific data involved. They will also answer any questions or concerns they may have. In addition, all impacted customers will be notified by letter.

"As a precautionary step, we have contacted the Irish Banking Federation, who has notified their members of the potential risk to data for affected eMobile and Meteor customers."

Read more: http://breakingnews.ie/ireland/potential-data-breach-as-eircom-laptops-stolen-539298.html#ixzz1ly84kL73

Why would they NEED this user data on their laptops and why weren't the laptops encrypted. The management in charge of their IT security should be sacked and their pensions revoked. :mad:

smash

They know what a VPN is right? There is no need to have any of this info on a laptop.

Jesus Wept

Good to see they learned nothing from Bord Gais et al.
The nogoodniks run this country,THE NOGOODNIKS.

Seachmall

Eircom treats privacy and protection of all data extremely seriously

And yet fail to implement even the most basic of security measures.

Dyr

smash wrote: »

They know what a VPN is right? There is no need to have any of this info on a laptop.

You lead users to VPN's but you can't make them think

Duggy747

That is one of the most daftest things I've heard in ages. Why the hell would they put such stuff on laptops? Unencrypted laptops?

What next, Government has details of people who signed on last year written on the back of a cereal box stolen?

Wossack

Stolen Dec 19, and only hearing about it now? Time's of the essence, when someone has your personal details/credit card info..

Standard Toaster

Fucking Morans.

pirelli

Wossack wrote: »

Stolen Dec 19, and only hearing about it now? Time's of the essence, when someone has your personal details/credit card info..

You have to act quickly in criminal matters.

witless1

I got a call about this yesterday, I'm in the 550 person bracket who signed up online last year to Meteor. Was told on the phone that my passport scan, utility bill scan, debit + credit card (I used both, one to initially sign up and the other to pay for their roaming charge) and general account information was on the laptop, with no encryption. I was given a freephone number to ring which is handling the situation, its 1800444085 for anyone who might need it.

Anyway rang them this morning and they read from a sheet to me, didn't ask for my username or any way to identify me so its a generic information line. They used the lines we "believe" you are not at risk and to warn me that your data "may" be in the public domain. I asked them about any form of compensation seems I have to get my debit / credit card reissued and possibly notify my bank and keep an eye on my direct debits etc. Also asked about canceling my contract which still has 12 months to run and was told they weren't handling that side of it and their special task force was only there for general info.

LumpyGravy

zapata wrote: »

Why would they NEED this user data on their laptops and why weren't the laptops encrypted. The management in charge of their IT security should be sacked and their pensions revoked.

With a backwards company like Eircom I wouldn't be surprised if their whole customer 'database' was just one big excel spreadsheet.

jester77

wow, can't believe that there are still companies out there that don't encyrpt their laptops :eek: Especially companies that have sensitive data, worse than amateur

Standard Toaster

LumpyGravy wrote: »

With a backwards company like Eircom I wouldn't be surprised if their whole customer 'database' was just one big excel spreadsheet.

You're not far off....I deal with some of them myself.

Seachmall

I think people who are affected by this should get together and file a class-action lawsuit, or whatever the Irish equivalent is.

They took absolutely zero precautions in protecting extremely sensitive data of their customers. There must be a violation of the Data Protection Act here.

Ledger

Duggy747 wrote: »

That is one of the most daftest things I've heard in ages. Why the hell would they put such stuff on laptops? Unencrypted laptops?

What next, Government has details of people who signed on last year written on the back of a cereal box stolen?

Nah, probably just written on the back of their hand.



But seriously though. I have a Meteor Bill-Pay Account and we have Eircom Phone and Broadband at home. From the information in the article, I'm thinking (and hoping) that I'm not affected. Jesus Christ like, one of the biggest, if not the biggest telecommunications organisation in the country can't manage to encrypt their customers' accounts information for the fcuking prices they charge for Eircom branded services? A holy fcuking disgrace!


Backwards isn't the word for it!!


Rant over.

Ledger

Standard Toaster wrote: »

You're not far off....I deal with some of them myself.

Microsoft Access then I'd presume. You could't write this stuff.:mad:

Corkfeen

Wonder if Eircom will end up going under relatively soon. They're in massive debt and this just one of their many failures in recent years. Such incompetence is astonishing.

Naid23

Corkfeen wrote: »

Wonder if Eircom will end up going under relatively soon. They're in massive debt and this just one of their many failures in recent years. Such incompetence is astonishing.

With the amount of People the employ etc, i would doubt the government would let that happen. Be bailed out for sure.

The J Stands for Jay

There should be some prison time over this one. How could anyone possibly think that they could ever need this type of data on a laptop? Was an Eircom employee trying to commit fraud from home?

The J Stands for Jay

Naid23 wrote: »

Corkfeen wrote: »

Wonder if Eircom will end up going under relatively soon. They're in massive debt and this just one of their many failures in recent years. Such incompetence is astonishing.

With the amount of People the employ etc, i would doubt the government would let that happen. Be bailed out for sure.

Fcuk them. Nationalise their cabling and other infrastructure and let the organisation burn. Then cave in to the demands to privatise it again.

mike65

Most expensive line rental most leaky security, why would anyone be a errorcom customer in this day and age?

kirving

I'm a bill pay customer and although I haven't been affected, I wouldn't really care. The type of person to rob a laptop isn't going to a whole lot with that info. They'll just try to sell it for their next fix.

Solair

What was this kind of information doing on a laptop in the first place?? If you signed up once you'd expect that information to be held on a secure server, not on some random employee laptop!

I think I'll go back to paying my phone bill in cash! Not sure I'd trust that lot with may card details.

I find it a bit mad that mobile operators demand sensitive documentation like passports. All that should be required is that the sales person verifies you are the same person as pictured on the passport. Holding documents on file is mad !!

Seachmall

Kevin Irving wrote: »

The type of person to rob a laptop isn't going to a whole lot with that info. They'll just try to sell it for their next fix.

Two of the computers were stolen from eircom's offices at Parkwest in Dublin between December 28, 2011 to January 2, 2012, and the third was taken from the home of an employee on December 19.

Sounds like someone specifically targeted the laptops for the information on them, so they probably have a plan.

Even if they were just random thefts they could easily publish the records to the public domain, which is pretty damaging.

Run_to_da_hills

Kevin Irving wrote: »

I'm a bill pay customer and although I haven't been affected, I wouldn't really care. The type of person to rob a laptop isn't going to a whole lot with that info. They'll just try to sell it for their next fix.

Sell it on to one of these back street PC repair shops that will remove this information before they format the drive and then pass it on to their scamming mates abroad.

Duggy747

Seachmall wrote: »

Sounds like someone specifically targeted the laptops for the information on them, so they probably have a plan.

Even if they were just random thefts they could easily publish the records to the public domain, which is pretty damaging.

It does sound like it was planned considering the importance (or lack of, should I say) of these specific laptops and the short space of time they were stolen in.

Big money to be made handing that kind of data over to scammers abroad, which is pretty detailed given that some contain passport details.

Nearly 2 months before going public with this is pretty bad, no company should be allowed to get away with this sort of incompetence.

c_man

smash wrote: »

They know what a VPN is right?

Eircom? Not a smart bet...

Faolchu

Seachmall wrote: »

They took absolutely zero precautions in protecting extremely sensitive data of their customers. There must be a violation of the Data Protection Act here.

I did my thesus on this exact subject years ago and it its a breach of teh DPA if adequate measurs are not taken to protect the data on these devices, BUT with the DPC actually prosecute or will it be another slap on the wrist as has always been the case?

Carroller16

I just got a phonecall from Meteor who told me I was one of the customers affected. I actually don't know what to do.

Run_to_da_hills

Carroller16 wrote: »

I just got a phonecall from Meteor who told me I was one of the customers affected. I actually don't know what to do.

A very good excuse to terminate your contract with them due to their incompetence.

witless1

Run_to_da_hills wrote: »

A very good excuse to terminate your contract with them due to their incompetence.

I'm pushing for that myself at the moment. Just had an agent on live chat there and he said they honestly don't know what they are going to do and they are in the dark on it. I had to cancel my credit + debit card just there, canceling the contract shouldn't be a problem but they should be offering something to the users affected in terms of compensation, be that decent packages, phone upgrades or whatever. I won't have my cards back until this day week and the passport scan is something that is concerning me as well.

witless1

Data Protection Update

Meteor on the 2nd of February reported a potential data breach for up to 404 Meteor customers to the Data Protection Commissioner. The issue is a result of the theft of two laptops. The incidents were immediately reported to An Garda Siochána and two separate investigations are ongoing. There is no evidence at this time that the data at risk has been used by a third party.

Meteor treats privacy and protection of all data extremely seriously. We have already taken the precautionary measure of reporting the incident to the Irish Banking Federation however we would advise you to monitor your bank account activity and report anything suspicious directly to your bank.

In the coming days we will telephone the 404 customers whose financial data may be at risk to answer any questions or concerns they may have. All impacted customers will be notified by letter. Customers who believe they may have been affected can contact us at 1800 444 085.

http://www.meteor.ie/dataprotectionupdate/

It gets better somehow! They are saying on twitter (and to affected people) that they reported it to the Gardaí and the Data Protection Commissioner yet their website says otherwise. That's a serious gap between when it was stolen and when the Commissioner was informed.

Carroller16

witless1 wrote: »

I'm pushing for that myself at the moment. Just had an agent on live chat there and he said they honestly don't know what they are going to do and they are in the dark on it. I had to cancel my credit + debit card just there, canceling the contract shouldn't be a problem but they should be offering something to the users affected in terms of compensation, be that decent packages, phone upgrades or whatever. I won't have my cards back until this day week and the passport scan is something that is concerning me as well.

Hi witless, I am in the same boat as you. I suppose the thing to do would be withdraw wnough money for the week and then cancel the cards.

CarrickMcJoe

jester77 wrote: »

wow, can't believe that there are still companies out there that don't encyrpt their laptops :eek: Especially companies that have sensitive data, worse than amateur

In a statment they said that these 3 laptops somehow were not encrypted. I find it hard to believe that someone managed to steal the only 3 unsecure laptops in different parts of the country.

Amateur is not the word.

witless1

Carroller16 wrote: »

Hi witless, I am in the same boat as you. I suppose the thing to do would be withdraw wnough money for the week and then cancel the cards.

Yeah that's what I have had to do, no doubt I will end up having to tap someone in the house for money come the end of the week if I haven't done my sums right!!

vtec_vixen

Did not ever hear of secure servers for data viewing and retrieval.
This day and age to be storing this kind of stuff on a laptop. with no encryption to top it off.

Eejits. Thanks God I dont work for them anymore haha

Run_to_da_hills

witless1 wrote: »

.............the passport scan is something that is concerning me as well.

That would be a greater concern for me than the credit cards particularly with rogue states like Israel about.

lifeandtimes

Carroller16 wrote: »

Hi witless, I am in the same boat as you. I suppose the thing to do would be withdraw wnough money for the week and then cancel the cards.

Hey guys can i ask are you business or residential customers?

witless1

lifeandtimes wrote: »

Hey guys can i ask are you business or residential customers?

Residential in that sense. Plain old 25 a month bill pay contract.

Eoin

Ledger wrote: »

Microsoft Access then I'd presume. You could't write this stuff.:mad:

Like many telcos that have been around a while, the primary customer data source is a mainframe. It's a nightmare to upgrade from, and a nightmare to integrate with. Even if it's not that particular system, integration projects tend to be extremely long and expensive. Especially as many of the IT staff have been let go in the last few years.

So you tend to get a lot of flat file exports to get relevant data for different departments. Ironically, the reason those staff don't have direct access is probably to limit the number of staff who have full access to all the customer details.

The laptops being unencrypted is very poor.

Nothingbetter2d

zapata wrote: »

http://breakingnews.ie/ireland/potential-data-breach-as-eircom-laptops-stolen-539298.html




Why would they NEED this user data on their laptops and why weren't the laptops encrypted. The management in charge of their IT security should be sacked and their pensions revoked. :mad:

lol eircom cant afford security...they are 3.75bil in debt

du Maurier

Standard Toaster wrote: »

Fucking Morans.

Leave the Morans out of it:pac:

Eoin

Nothingbetter2d wrote: »

lol eircom cant afford security...they are 3.75bil in debt

They can't afford to not have basic security.

Stiffler2

they should be handed abuscus's instead.

Solair

Carroller16 wrote: »

I just got a phonecall from Meteor who told me I was one of the customers affected. I actually don't know what to do.

It would depend on what data they had on file.

If they've any credit / debit (Laser/Visa Debit) on file, you should immediately cancel them and get new cards issued.

If they had scans of your passport, you really should contact the passport office and cancel your passport and get a new one. ID theft is a big issue.
(I would send the passport application / renewal bill to Eircom too)

If they've your bank account details on file, just keep an eye on your account and also go in and check what DDs are setup. To be honest, there's not a whole lot that can be done with bank account details as they can't be used for outwards payment other than by DD and that's usually highly traceable e.g. for utility companies etc.

Standard Toaster

Are my old Oceanfree chat logs on any of the laptops or is that Esat BT??? :eek:



/makes a break for Yemen :pac:

Solair

Standard Toaster wrote: »

Are my old Oceanfree chat logs on any of the laptops or is that Esat BT??? :eek:



/makes a break for Yemen :pac:

Ocean was BT/ESB joint venture.
BT bought Esat and merged Ocean into what ultimately became BT Ireland.

Then BT Ireland sold off its consumer business to Vodafone, but BT Ireland remains a major player in the business communications area and also as an infrastructure provider to other telcos e.g. Vodafone, 3 and lots of others!

So, eh your OceanFree chat logs might be with Vodafone Ireland or BT Ireland

This data protection breech only involves Eircom.

Eircom = Eircom, EMobile and Meteor.

Standard Toaster

Solair wrote: »

Ocean was BT/ESB joint venture.
BT bought Esat and merged Ocean into what ultimately became BT Ireland.

Then BT Ireland sold off its consumer business to Vodafone, but BT Ireland remains a major player in the business communications area and also as an infrastructure provider to other telcos e.g. Vodafone, 3 and lots of others!

So, eh your OceanFree chat logs might be with Vodafone Ireland or BT Ireland

This data protection breech only involves Eircom.

Eircom = Eircom, EMobile and Meteor.

Soooooooo, what you're saying is I should move to Yemen??

ToxicPaddy

Standard Toaster wrote: »

Solair wrote: »

Ocean was BT/ESB joint venture.
BT bought Esat and merged Ocean into what ultimately became BT Ireland.

Then BT Ireland sold off its consumer business to Vodafone, but BT Ireland remains a major player in the business communications area and also as an infrastructure provider to other telcos e.g. Vodafone, 3 and lots of others!

So, eh your OceanFree chat logs might be with Vodafone Ireland or BT Ireland

This data protection breech only involves Eircom.

Eircom = Eircom, EMobile and Meteor.

Soooooooo, what you're saying is I should move to Yemen??

Solair

Standard Toaster wrote: »

Soooooooo, what you're saying is I should move to Yemen??

Probably a good idea.

o1s1n

Standard Toaster wrote: »

Are my old Oceanfree chat logs on any of the laptops or is that Esat BT??? :eek:



/makes a break for Yemen :pac:

Sometimes I wonder if Esat still have all the hate mail I sent them after cutting me off 'nolimits' :mad:

Excessive use my arse, it was dail up ffs!