emobile/meteor laptops stolen with customers details

quad_red

http://www.rte.ie/news/2012/0210/eircom.html

Folks, when are affected customers going to be informed?

If I haven't heard from emobile yet does that mean I'm unaffected?

witless1

quad_red wrote: »

http://www.rte.ie/news/2012/0210/eircom.html

Folks, when are affected customers going to be informed?

If I haven't heard from emobile yet does that mean I'm unaffected?

I'm on Meteor and received a call at 5.30 yesterday about it. According to the chap, they are only ringing the people in the bracket that have their bank account details compromised. So that's the 550 they mentioned in the article.

They have a brilliant (sarcasm!!) general info line on 1800444085 for meteor at least so I am assuming replace the 085 with the emobile prefix. It's only a general info line, they never asked for anything to identify me by in order to see what affected me. They used the words we "believe" your data is not being misused and to inform me that your data "may" be in the public domain. I asked about canceling my contract and what compensation had they planned for customers who have to go and cance and reissuel their credit / debit card and possibly passport/ bank account in general. They literally have enough info on that laptop about people for a full identity fraud.

quad_red

witless1 wrote: »

I'm on Meteor and received a call at 5.30 yesterday about it.

Feck!

witless1 wrote: »

According to the chap, they are only ringing the people in the bracket that have their bank account details compromised. So that's the 550 they mentioned in the article.

F*ck that! I want to know if my name, address and contact details have been high jacked, thanks very much. Even without the bank details, that's damaging enough.

witless1 wrote: »

I asked about canceling my contract and what compensation had they planned for customers who have to go and cance and reissuel their credit / debit card and possibly passport/ bank account in general.

And what did they say?

witless1

quad_red wrote: »

Feck!

And what did they say?

I was fast enough yesterday to mention canceling my contract to the meteor rep and he took a note of it and said it wasn't something they had considered in their little handbook which he had to read out of. In fairness the chap spent a good two mins reading out chunks of it to me and said he would note it and get someone to call me back. At the time it didn't twig with me the implications in terms of canceling credit/debit card let alone anything else so when I rang the 1800 number this morning I asked pretty much straight away. The chap there was less then helpful and kept reading the same script to me and I told him he wasn't answering my questions and could he put me on to someone that could. Was told that there is no one else on that number in a position to tell me anything and they were a general contact point. He didn't even tell me to contact meteor support directly, just left me assume that is what I had to do. I'v sent them a message on twitter will see if they get back to me with an in house meteor number to ring. Will be in a position this evening to give them a buzz then.

Loggie

witless1 wrote: »

I was fast enough yesterday to mention canceling my contract to the meteor rep and he took a note of it and said it wasn't something they had considered in their little handbook which he had to read out of. In fairness the chap spent a good two mins reading out chunks of it to me and said he would note it and get someone to call me back. At the time it didn't twig with me the implications in terms of canceling credit/debit card let alone anything else so when I rang the 1800 number this morning I asked pretty much straight away. The chap there was less then helpful and kept reading the same script to me and I told him he wasn't answering my questions and could he put me on to someone that could. Was told that there is no one else on that number in a position to tell me anything and they were a general contact point. He didn't even tell me to contact meteor support directly, just left me assume that is what I had to do. I'v sent them a message on twitter will see if they get back to me with an in house meteor number to ring. Will be in a position this evening to give them a buzz then.

Got a phone call from meteor this morning, 10am, informing me my details were on one of the laptops. No bank details though (apparently).

Been trying since 10.30am till around noon to get an answer to my concerns but getting the same crap as witless. No one knows what to do. My concern is identity theft and what I can do to prevent it. They can't answer and have no advice on what to do.

Spoke to 4 different people in meteor each transferring me to "someone who was looking after the issue" but none of them knew what to do. Now the last person told me I would get a call from the supervisor looking after this issue by the end of the day. Should be good.

witless1

Exact same run around I am getting. What annoys me though is they haven't even offered any advice. In my case my bank account details were included on the files stolen and they told me to monitor my accounts. I know I used my debit + credit card, whatever about the latter it's the debit card that concerns me most. That's not insured and is linked directly to my bank account so they could do serious damage on that end without me being aware of it. I have had my CC stopped for fraud in the past when I bought a lot of stuff online and in stores over the course of a few days. I have never had my debit card stopped when I used it to a similar if not heavier volume in the run up to Christmas. I had to go ring AIB this morning and they were very concerned about this and that they were getting their information from the radio and internet. They wanted me to cancel my cards immediately, which I did, and they are sending out replacements next week to me. Yet on the phone yesterday I was assured that they had informed my bank to keep an eye on things. I'm calling bull**** on half of what they have told me so far and like yourself am waiting on a supervisor to ring me back.

lifeandtimes

witless1 wrote: »

Exact same run around I am getting. What annoys me though is they haven't even offered any advice. In my case my bank account details were included on the files stolen and they told me to monitor my accounts. I know I used my debit + credit card, whatever about the latter it's the debit card that concerns me most. That's not insured and is linked directly to my bank account so they could do serious damage on that end without me being aware of it. I have had my CC stopped for fraud in the past when I bought a lot of stuff online and in stores over the course of a few days. I have never had my debit card stopped when I used it to a similar if not heavier volume in the run up to Christmas. I had to go ring AIB this morning and they were very concerned about this and that they were getting their information from the radio and internet. They wanted me to cancel my cards immediately, which I did, and they are sending out replacements next week to me. Yet on the phone yesterday I was assured that they had informed my bank to keep an eye on things. I'm calling bull**** on half of what they have told me so far and like yourself am waiting on a supervisor to ring me back.

I rang up and the said it was only conserning business customers but witless1 your said your on a residential package so somethings a miss here,im on a residential package and just want to know if im effested

witless1

I'm not sure where they are getting that from. The call I got yesterday was fairly spot on in terms of what details I had provided and what details are missing. The term residential is a bit confusing though, so just to clarify it. I'm with meteor on a bill pay contract as a personal customer. So 100% not a business entity in their eyes. The line they are taking on twitter and from people I know who have rang them is "we will ring those affected". So if you don't receive a phone call you can assume you are ok, that's the information I am getting from them anyway.

eircom: Tony

lifeandtimes wrote: »

I rang up and the said it was only conserning business customers but witless1 your said your on a residential package so somethings a miss here,im on a residential package and just want to know if im effested

Hi Guys
I can understand the need for clarity and information on such a serious issue. I have been advised that it is eMobile Business customers that are impacted by this incident and not eMobile residential customers.
any business customers impacted will be contacted directly, no evidence so far that at risk data has been used

I have also been advised that all meteor customers impacted have already been contacted.
We are currently investigating this incident with all relevant internal and external organaisations including the Gardaí, Banks and Data Protection Commissioner.

I would repeat the advice given in previous posts here, and offered by customer support in this matter. Do please monitor your acount, contact us immediately if you notice any anomolies.
If you are an Emobile customer you should call 1800 428 278. Or Pm me here and I can escalate for you.


I attach the following official statement. We will post more info as soon as we get this.
Again we apologies for this incident and the frustration caused.
Tony


eMobile Statement on Laptop Theft (Issued 9 February 2012)
eMobile has reported a potential data breach for up to 6,441 eMobile business customers to the Data Protection Commissioner. The breach is a result of the theft of three laptops, two laptops from offices at Parkwest, Dublin. The incident was immediately reported to the Gardai and an investigation is ongoing. There is no evidence at this time that the data at risk has been used by a third party.

eMobile treats privacy and protection of all data extremely seriously and we have taken the following pro-active measures to address the situation.

A number of account managers have initiated a contact programme to telephone 146 customers whose financial data may be at risk. The agents will notify the customers of the risk and inform them of the specific data involved. They will also answer any questions or concerns they may have. In addition, all 6,441 impacted customers will be notified by letter.

As a precautionary step, we have contacted the Irish Banking Federation, who has notified their members of the potential risk to data for affected eMobile customers.

eMobile business customers can contact us directly on 1800 428278 or can visit www.emobile.ie

A review of the Group's encryption policy is underway to ensure all computers and laptops are compliant with the Group's encryption policy.

Theft from eircom offices at Parkwest

During the internal investigation it emerged that the two laptops contained personal data for some current and former eMobile business customers. Specifically, there is a potential data risk for 6,441 current and previous eMobile business customers, dating from August 2010 until December 2011. The data at risk for the vast majority of customers is personal data including names, addresses and telephone numbers. There is a small group of approximately 146 customers where financial data including bank account details may be at risk. There may also be a range of documentation used to support a customer application such as passport and drivers licence details, various photo ids or utility bills which all may have been used to establish proof of identity. In some cases financial data such as bank account, laser or credit card details is also at risk.

witless1

eircom: Tony wrote: »

I would repeat the advice given in previous posts here, and offered by customer support in this matter.

While I can only speak from a Meteor point of view and the customer reps I have dealt with (3 in total), they are not offering any advice outside of be vigilant, which is really not advice at all. My bank was horrified that this was the advice I was given and immediately took steps to secure my account and told me of the implications regarding my debit card in particular. At the very least, for those affected with regard their banking details, the instructions should be without a doubt to cancel your cards, immediately.

thefinalstage

eircom: Tony wrote: »

eMobile Statement on Laptop Theft (Issued 9 February 2012)
eMobile has reported a potential data breach for up to 6,441 eMobile business customers to the Data Protection Commissioner. The breach is a result of the theft of three laptops, two laptops from offices at Parkwest, Dublin. The incident was immediately reported to the Gardai and an investigation is ongoing. There is no evidence at this time that the data at risk has been used by a third party.

eMobile treats privacy and protection of all data extremely seriously and we have taken the following pro-active measures to address the situation.

A number of account managers have initiated a contact programme to telephone 146 customers whose financial data may be at risk. The agents will notify the customers of the risk and inform them of the specific data involved. They will also answer any questions or concerns they may have. In addition, all 6,441 impacted customers will be notified by letter.

As a precautionary step, we have contacted the Irish Banking Federation, who has notified their members of the potential risk to data for affected eMobile customers.

eMobile business customers can contact us directly on 1800 428278 or can visit www.emobile.ie

A review of the Group's encryption policy is underway to ensure all computers and laptops are compliant with the Group's encryption policy.

Theft from eircom offices at Parkwest

During the internal investigation it emerged that the two laptops contained personal data for some current and former eMobile business customers. Specifically, there is a potential data risk for 6,441 current and previous eMobile business customers, dating from August 2010 until December 2011. The data at risk for the vast majority of customers is personal data including names, addresses and telephone numbers. There is a small group of approximately 146 customers where financial data including bank account details may be at risk. There may also be a range of documentation used to support a customer application such as passport and drivers licence details, various photo ids or utility bills which all may have been used to establish proof of identity. In some cases financial data such as bank account, laser or credit card details is also at risk.

If data protection is taken seriously then why has it taken so long for affected customers to be notified and only after the media broke the story?

Also,

Why was such sensitive data not encrypted in the first place?

eircom: Tony

poisonedstream wrote: »

If data protection is taken seriously then why has it taken so long for affected customers to be notified and only after the media broke the story?

Also,

Why was such sensitive data not encrypted in the first place?

Hi poisonedstream
both your points are important and issue certainly is a serious one.


(1) This was reported earlier to the Gardai and Data Protection Commissioner, however despite hard work to restore the data, it proved difficult to comprehensively determine the definitive list of affected customers and the related data that has potentially been breached. The recovery process has been time consuming, due to its complexity to access the back-up tapes. We were bound to provide as much definite information and context as possible.
(2) The company’s policy requires all laptops be encrypted, why data could be on an non-encrypted laptop is under investigation. We are reviewing our laptops to ensure that all have appropriate encryption.


We will make any new information available to you as we get it.
If customers wish they can PM me re this issue.


I genuinely hope that none of you are impacted by this.


Regards
Tony

Loggie

witless1 wrote: »

I was fast enough yesterday to mention canceling my contract to the meteor rep and he took a note of it and said it wasn't something they had considered in their little handbook which he had to read out of. In fairness the chap spent a good two mins reading out chunks of it to me and said he would note it and get someone to call me back. At the time it didn't twig with me the implications in terms of canceling credit/debit card let alone anything else so when I rang the 1800 number this morning I asked pretty much straight away. The chap there was less then helpful and kept reading the same script to me and I told him he wasn't answering my questions and could he put me on to someone that could. Was told that there is no one else on that number in a position to tell me anything and they were a general contact point. He didn't even tell me to contact meteor support directly, just left me assume that is what I had to do. I'v sent them a message on twitter will see if they get back to me with an in house meteor number to ring. Will be in a position this evening to give them a buzz then.

eircom: Tony wrote: »

Hi poisonedstream
both your points are important and issue certainly is a serious one.


(1) This was reported earlier to the Gardai and Data Protection Commissioner, however despite hard work to restore the data, it proved difficult to comprehensively determine the definitive list of affected customers and the related data that has potentially been breached. The recovery process has been time consuming, due to its complexity to access the back-up tapes. We were bound to provide as much definite information and context as possible.
(2) The company’s policy requires all laptops be encrypted, why data could be on an non-encrypted laptop is under investigation. We are reviewing our laptops to ensure that all have appropriate encryption.

W

We will make any new information available to you as we get it.
If customers wish they can PM me re this issue.


I genuinely hope that none of you are impacted by this.


Regards
Tony

That's all very well in relation to bank details and being vigilant but with regards to personnal details, driving licence etc the fact remains it is not possible to monitor how someone may be using my stolen identity today, tomorrow or in 10years time. What is the eircom line on that?

thefinalstage

Loggie wrote: »

That's all very well in relation to bank details and being vigilant but with regards to personnal details, driving licence etc the fact remains it is not possible to monitor how someone may be using my stolen identity today, tomorrow or in 10years time. What is the eircom line on that?

And how are the affected/customer going to be compensated?

To be honest it's hard to have faith in a mobile provider where everything "should" be encrypted but on 3 seperate laptops on 2 seperate occasions sensitive data was stolen/unencrypted and it's hard to believe that any list of affected people that eircom come up with is correct..

witless1

poisonedstream wrote: »

And how are the affected/customer going to be compensated?

Meteor are offering the month of March as a free month for their bill pay customers. That's not going to cut it to be honest for anyone, like me, who is probably going to have to change their passport. What is Eircoms overall stance on something like that?

dub45

eMobile treats privacy and protection of all data extremely seriously and we have taken the following pro-active measures to address the situation.

It never ceases to amaze when Companies utter statements like that as a prelude to admitting that that's exactly what they haven't done!!!

Do Eircom think people are idiots and will put up with any old crap? You have ignored your own policies put people at serious risk of having their lives destroyed (and if you have any doubt about this possibility read this:

http://news.bbc.co.uk/2/hi/uk_news/magazine/7326736.stm

What happens if the people who stole this treasure trove of information wait several months to begin using it and money starts disappearing from your account? Do you really think it will be a simple matter of ringing Eircom and dropping down to John's Road for tea and biccies with the Chief Executive and a nice cheque?

My prediction is that you would be hearing from Eircom's legal department with a PROVE IT letter!!!

Eircom have shown that they are not worthy of the trust of their customer both in losing this data and in their slow reactions. They should be thrown out of the direct debit scheme immediately.

Sponge Bob

While the Irish DD scheme is a crock of sh1te in consumer terms I think the eircom laptops that were nicked were office bound ones...ie not left in the pub. By the same logic had a desktop been nicked with the same data it would not have been any more secure would it. ?

The timing of the release was peculiar considering the data was lost in December or early January.

The timing would most certainly not have anything to do with the serendipitously timed announcement of the 'our senior lenders told us to crap on our junior lenders so we did' eircom Bond Default , of course it didn't.

dub45

Sponge Bob wrote: »

While the Irish DD scheme is a crock of sh1te in consumer terms I think the eircom laptops that were nicked were office bound ones...ie not left in the pub. By the same logic had a desktop been nicked with the same data it would not have been any more secure would it. ?

The timing of the release was peculiar considering the data was lost in December or early January.

The timing would most certainly not have anything to do with the serendipitously timed announcement of the 'our senior lenders told us to crap on our junior lenders so we did' eircom Bond Default , of course it didn't.

By their own admission the laptops were not encrypted

Paul Bradley, head of Communications, Eircom Group, confirmed that the stolen computers were not encrypted, despite a stated policy for such computers to be encrypted.

If a company does not even ensure that it's own data policies are complied with how can they be trusted?

Why is customer and employee data be transferred to laptops anyway?

chris85

I am wondering if the Eircom rep can let us all know a bit more about the statement mentioned that this was reported to the Data Protection Commission earlier. The DPC are saying it was unacceptable how long it took for them to be notified of the data being stolen.

Can a timeline be provided as to when the laptops were stolen and when it was reported to both the DPC and the guards? If anymore than 48 hours it must be made told of why such a delay

Will be moving network very quickly over this one. If three laptops are unencrypted how do we know they all arent. There must be a serious lack of adherence to this policy if all the stolen laptops werent encrypted. I would be worried about this lack of protection over my personal info.

Expect numerous Data Access Requests from customers and complaints. I will be one of them.

PseudoFamous

Sponge Bob wrote: »

By the same logic had a desktop been nicked with the same data it would not have been any more secure would it. ?

I don't know of many occassions desktops with customer data have been stolen. Desktops are bulky, laptops are not, so laptops are an easy target for theives. For all we know, eircom haven't learnt their lesson, and the same data could still be on a computer, either laptop or desktop, unencrypted.
It would probably be best for this data to be in a high security datacentre, rather than a relatively unguarded, easily stolen laptop. I'd suggest eircom move the data to one, and have it nowhere else.

Marcin_diy

all affected customers should already have their cards, account numbers, id cards cancelled, and eircom should compesate lost time, effort and any cost involved. on the top of this eircom should terminate contracts with these users and pay bills for the users for agreed period of time in different company.

but eircom doesnt have balls to do something like this...

witless1

Marcin_diy wrote: »

all affected customers should already have their cards, account numbers, id cards cancelled, and eircom should compesate lost time, effort and any cost involved. on the top of this eircom should terminate contracts with these users and pay bills for the users for agreed period of time in different company.

but eircom doesnt have balls to do something like this...

To that end I emailed the Passport Office asking their opinion on it. They recommended that I get a new passport and write a letter outlining the concerns I have and to why I want a replacement (as they don't like replacing passports willy nilly). They also alerted me that their audit department, on receipt of such an application, would put me on a "stop list". The stop list is an administrative precaution which will slow down any future attempts at requesting a passport and will require them to phone me and confirm that I made the application and also confirm some details. It's only a stop list from that point of view and wouldn't impact on travelling or clearing any passport control. The cost of a passport in that scenario is the full cost of €88.50 if going through a PO or €95 otherwise. Not including the cost of getting the photo taken as well I might add. So that's what it will cost me to protect my personal identity and privacy not to mention any hiccup that could potentially happen in the future. I'm pressing Meteor hard on this with no answers coming back to me because I am not in a situation to hand that money out off the bat.

What really really is hitting a nerve with me is the lack of clear information from Eircom on what to do. My bank have indicated a change of cards is mandatory and the passport office are rather clear of their stance on it. Eircoms statement said to be observant and that was pretty much it, no recommendations at all. Absolute joke.

(I can PM on the email the Passport office sent me if anyone is interested, enough of my details are in the public realm so not copying / pasting anything else!!)

dub45

Can somebody please explain why passport information utility bills etc was transferred to laptops and transported outside HQ. this stuff is a huge prize for anyone in the identity theft game.

I cannot think of any reason why this should happen.

A simple answer in plain English please and can I remind you in advance this is our information not Eircom's and we are entitled to a full explanation.

Marcin_diy

dub45 wrote: »

Can somebody please explain why passport information utility bills etc was transferred to laptops and transported outside HQ.

I would like to know as well if person/s responsible for this and their managers + head of security already lost their jobs and if information about what they did was added to their p45.

Sponge Bob

The laptops with Customer data were office use only...like a desktop. No staff member removed them from the office...unless the thief was staff.

Marcin_diy

Sponge Bob wrote: »

The laptops with Customer data were office use only...like a desktop. No staff member removed them from the office...unless the thief was staff.

I don't buy it. sensitive data should be kept on the secured network drive, not on the local hard drive of laptop or pc.

dub45

Sponge Bob wrote: »

The laptops with Customer data were office use only...like a desktop. No staff member removed them from the office...unless the thief was staff.

How do we know that? And even so the question remains - surely passport information should be used to confirm the identity of the customer and then safely filed or even destroyed?

We have allowed companies to accumulate huge amounts of information and the simple fact is as proven here that they cannot be trusted to adhere to even their own policy.

There is another huge database being generated by greyhound as they accumulate debit card information on thousands of people and nobody bats an eyelid.

There are over 5000 businesses in the dd scheme all of whom have the potential to do this type of thing and it's outrageous.

wingnut

My credit card was used fraudulently at the end of December. When I rang my provider they seems to tweak it straight away. I told them I was always careful with my card. They said it appeared a legitimate retailer had their information compromised. I have been an e-Mobile customer and switched to Meteor around November/December.

Too much of a coincidence? Anyone else have the same happen them?

eircom: Tony

dub45 wrote: »

By their own admission the laptops were not encrypted



If a company does not even ensure that it's own data policies are complied with how can they be trusted?

Why is customer and employee data be transferred to laptops anyway?

Hi dub45
I take your point and it is exactly those issues that are currently under intense audit to ensure this cannot happen again. The companies policy requires that all laptops be encrypted and while these were password protected, they were not encrypted.
I can confirm that these laptops were indeed removed from eircom offices and had not been in transport to any outside offices at time of theft.
Tony

Loggie

Loggie wrote: »

That's all very well in relation to bank details and being vigilant but with regards to personnal details, driving licence etc the fact remains it is not possible to monitor how someone may be using my stolen identity today, tomorrow or in 10years time. What is the eircom line on that?

Tony does eircom have advice on identy theft and what can be done about it? Waiting since friday for a supervisor to ring me. Was told on friday that the supervisor handling this issue would contact me by the end of business friday. Maybe they lost my number

eircom: Tony

Loggie wrote: »

Tony does eircom have advice on identy theft and what can be done about it? Waiting since friday for a supervisor to ring me. Was told on friday that the supervisor handling this issue would contact me by the end of business friday. Maybe they lost my number

I really hope not Loggie:mad:
Can you PM me your details ( just tel no, contact no. and what was advised you on Friday, can you remember the agents name?) If you were advised you would receive call back you should have received this.
I will chase for you.
Tony