Data Breach

Purple Mountain

sexmag wrote: »

To be fair the laptop wouldn't have solely been the purpose of these 37k customers, most likely the manager received a file to review,could have been a spreadsheet of data collected to help understand something better, this is their work laptop, many people take them home, it's possible he went to a beach to continue working off site and was mugged....who knows.

The data that was taken will have no effect on people.

Work laptops should not be allowed off site- period.
If some manager needs to 'understand something better', do it in eir's office.
As for the data taken having no effect on people, 37k names, addresses and email addresses are a goldmine to advertisers and marketing companies.

Pelvis

Purple Mountain wrote: »

Work laptops should not be allowed off site- period.
If some manager needs to 'understand something better', do it in eir's office.
As for the data taken having no effect on people, 37k names, addresses and email addresses are a goldmine to advertisers and marketing companies.

Work laptops should not be taken off site??? Completely missing the point of a laptop, aren't you? If you enforce that policy then you force employees to use personal computers when working from home, which would be far more of a security risk.

Purple Mountain

Pelvis wrote: »

Work laptops should not be taken off site??? Completely missing the point of a laptop, aren't you? If you enforce that policy then you force employees to use personal computers when working from home, which would be far more of a security risk.

Or enforce employees to work in their designated employment office only.
Seriously what's the point of GDPR if an employee can take their computer to a 'public place' that has personal details of their customers.

Johnboy1951

I think the main concern is that a bunch of laptops had failed encryption, from the previous day, and at least one is allowed off premises in that state, and gets stolen.


I wonder what are the chances of all those events coinciding like that?

Pelvis

Purple Mountain wrote: »

Or enforce employees to work in their designated employment office only.
Seriously what's the point of GDPR if an employee can take their computer to a 'public place' that has personal details of their customers.

Do you work in the real world? You understand people work remotely, yes?

The problem is not that the laptop was in a public place, the problem was inadequate security measures on the laptop.

henryforde80

Purple Mountain wrote: »

Work laptops should not be allowed off site- period.
If some manager needs to 'understand something better', do it in eir's office.
As for the data taken having no effect on people, 37k names, addresses and email addresses are a goldmine to advertisers and marketing companies.

Work laptops should not be allowed off site.? Funniest comment I ever read.

The problem here is that Eir service desk are not encrypting all their laptops or I.T Security are not monitoring report logs to see if all laptops are encrypted. Must have lacklustre security standards

KERSPLAT!

Purple Mountain wrote: »

Or enforce employees to work in their designated employment office only.
Seriously what's the point of GDPR if an employee can take their computer to a 'public place' that has personal details of their customers.

Surely you realise that devices have to leave the office. Sure an email to a phone could have an Excel doc with thousands of customers details on it. Should a work mobile be used only in the office? Silly talk.

As was said, the issue is not the laptop being in a public place or it being lost/stolen really, it's the fact that it's not encrypted.

sexmag

Their statement said something like it being encrypted but due to an update it failed or deactivated the encryption,not sure how the happens and I'm sure the person with the laptop is no security experot so probably didn't know and it's an unfortunate coincidence it was stolen during the weekend this error happened.

The say it's password protect but not encrypted and I highly seriously highly doubt that this was a well thought out play from a criminal to make sure the encryption fails,the laptop is off site,steal it,have the password to access it to get the account number and email address of 37k customers. They'd have better luck fireing off random phishing emails from a bot.

I'm taking it as it is,combination of an IT failing and bad luck being stolen but with little to no damage to people and to state for the record I was effected by this

Seth Brundle

Johnboy1951 wrote: »

I think the main concern is that a bunch of laptops had failed encryption

I bet you a grand this is bullshít!

sexmag

Seth Brundle wrote: »

I bet you a grand this is bullshít!

Have you any evidence to support this bet?

A detailed report will have to be given to the DP Commissioner showing from to A to Z how it all happened, any discrepancies will be made public I believe and fines handed out accordingly

SSeanSS

sexmag wrote: »

Seth Brundle wrote: »

I bet you a grand this is bullshít!

Have you any evidence to support this bet?

A detailed report will have to be given to the DP Commissioner showing from to A to Z how it all happened, any discrepancies will be made public I believe and fines handed out accordingly

No evidence yet, just relying on their statement but it is complete bullshít. Security updates don't work that way. I hope this will come out publicly. As for the data breach, it's not that bad. If it was stolen and password protected I'm sure it will be wiped and sold.

Johnboy1951

SSeanSS wrote: »

sexmag wrote: »

Seth Brundle wrote: »

I bet you a grand this is bullshít!

Have you any evidence to support this bet?

A detailed report will have to be given to the DP Commissioner showing from to A to Z how it all happened, any discrepancies will be made public I believe and fines handed out accordingly

No evidence yet, just relying on their statement but it is complete bullshít. Security updates don't work that way. I hope this will come out publicly. As for the data breach, it's not that bad. If it was stolen and password protected I'm sure it will be wiped and sold.

Is it possible that when the laptop is in use and the encryption is bypassed, or off, or whatever that allows the user to use the laptop, that some corrupted security update, during that time, could prevent the encryption from being reset correctly when the user has finished using the laptop?

sexmag

Johnboy1951 wrote: »

SSeanSS wrote: »

sexmag wrote: »

Seth Brundle wrote: »

I bet you a grand this is bullshít!

Have you any evidence to support this bet?

A detailed report will have to be given to the DP Commissioner showing from to A to Z how it all happened, any discrepancies will be made public I believe and fines handed out accordingly

No evidence yet, just relying on their statement but it is complete bullshít. Security updates don't work that way. I hope this will come out publicly. As for the data breach, it's not that bad. If it was stolen and password protected I'm sure it will be wiped and sold.

Is it possible that when the laptop is in use and the encryption is bypassed, or off, or whatever that allows the user to use the laptop, that some corrupted security update, during that time, could prevent the encryption from being reset correctly when the user has finished using the laptop?

Its not a far stretch of the imagination but human error can do some funny things

ArrBee

McGaggs wrote: »

ArrBee wrote: »

Ahhh, It's fairly easy to imagine customer data being on a laptop.

The only bit that I'd call out is the excuse given for the lack of encryption.
It's clearly made up to excuse the breaking of internal policy (FAQ says it's policy for password+encryption).

I can't think of a reason why. Why do you think they needed it ? Genuinely curious to figure out why

There are many possible reasons.  and the fact that there are many which are not in any way sinister or breaches themselves causes me to think that the fact that data was on a laptop in the 1st place is not the issue here, or worth getting worked up about.

For example, 
Companies tend to use laptops instead of desktop PCs this century.  Any data you work on during the day is likely stored on said laptop at least temporarily for several reasons. (network performances causes issues in client apps when working on remote data sets; the ability to roam on the laptop whilst working locally and off the network; cloud storage auto syncing locally; etc)
It is impractical at a personal and business level to wipe all customer data from the local disk at the end of each day, and re-sync that in the morning or as you need to use it.  I know of no data protection law that prohibits the storing of such information on a local storage while allowing that same data on central storage.

Perhaps the data was there specifically to be worked on "from home" that evening.  Perhaps it was there because it had been worked on earlier in the day.
I don't think it is relevant.



Believe me, I am no defender of Eir and the way the conduct business and I am acutely aware of how many companies mistreat data and do not understand privacy/protection.  
I'm not dismissing the situation completely as a "ahh sure it was only minor".  Instead I'm breaking it down and saying data on a laptop is pretty normal but that data should be protected.

The only issues I see in this case are:
1. Disk was not encrypted which seems to be against company policy
2. The Laptop had the opportunity to be stolen in the 1st place.

gctest50

SSeanSS wrote: »

This would not happen on Microsoft or MacOS, wouldn't happen either on most Linux distributions

Where does it say it was OS encryption stuff?

SSeanSS wrote: »

There are no Microsft or MacOS updates that will unencrypt a disk, its complete lies!

Where does it say it was OS encryption stuff?

SSeanSS wrote: »

there is one update that will crash in Windows 10 if disk is encrypted but it certainly wont dis-encrypt it.

Where does it say it was OS encryption stuff?

SSeanSS wrote: »

Think of it like, how could a seperate update do this.. also if this were possible we'd have heard about it already!

telpis

The J Stands for Jay

Pelvis wrote: »

Work laptops should not be taken off site??? Completely missing the point of a laptop, aren't you? If you enforce that policy then you force employees to use personal computers when working from home, which would be far more of a security risk.

If a company has employees working Fromm home, they'd have them on their own PC using a VPN.

The J Stands for Jay

KERSPLAT! wrote: »

Surely you realise that devices have to leave the office. Sure an email to a phone could have an Excel doc with thousands of customers details on it. Should a work mobile be used only in the office? Silly talk.

As was said, the issue is not the laptop being in a public place or it being lost/stolen really, it's the fact that it's not encrypted.

Any half decent company blocks emails going externally if they have unencrypted attachments.

The J Stands for Jay

ArrBee wrote: »

There are many possible reasons.  and the fact that there are many which are not in any way sinister or breaches themselves causes me to think that the fact that data was on a laptop in the 1st place is not the issue here, or worth getting worked up about.

For example, 
Companies tend to use laptops instead of desktop PCs this century.  Any data you work on during the day is likely stored on said laptop at least temporarily for several reasons. (network performances causes issues in client apps when working on remote data sets; the ability to roam on the laptop whilst working locally and off the network; cloud storage auto syncing locally; etc)
It is impractical at a personal and business level to wipe all customer data from the local disk at the end of each day, and re-sync that in the morning or as you need to use it.  I know of no data protection law that prohibits the storing of such information on a local storage while allowing that same data on central storage.

Perhaps the data was there specifically to be worked on "from home" that evening.  Perhaps it was there because it had been worked on earlier in the day.
I don't think it is relevant.



Believe me, I am no defender of Eir and the way the conduct business and I am acutely aware of how many companies mistreat data and do not understand privacy/protection.  
I'm not dismissing the situation completely as a "ahh sure it was only minor".  Instead I'm breaking it down and saying data on a laptop is pretty normal but that data should be protected.

The only issues I see in this case are:
1. Disk was not encrypted which seems to be against company policy
2. The Laptop had the opportunity to be stolen in the 1st place.

I'm just not clear on the task that would require that data that would be fine outside the office.

flexcon

McGaggs wrote: »

ArrBee wrote: »

There are many possible reasons.  and the fact that there are many which are not in any way sinister or breaches themselves causes me to think that the fact that data was on a laptop in the 1st place is not the issue here, or worth getting worked up about.

For example, 
Companies tend to use laptops instead of desktop PCs this century.  Any data you work on during the day is likely stored on said laptop at least temporarily for several reasons. (network performances causes issues in client apps when working on remote data sets; the ability to roam on the laptop whilst working locally and off the network; cloud storage auto syncing locally; etc)
It is impractical at a personal and business level to wipe all customer data from the local disk at the end of each day, and re-sync that in the morning or as you need to use it.  I know of no data protection law that prohibits the storing of such information on a local storage while allowing that same data on central storage.

Perhaps the data was there specifically to be worked on "from home" that evening.  Perhaps it was there because it had been worked on earlier in the day.
I don't think it is relevant.



Believe me, I am no defender of Eir and the way the conduct business and I am acutely aware of how many companies mistreat data and do not understand privacy/protection.  
I'm not dismissing the situation completely as a "ahh sure it was only minor".  Instead I'm breaking it down and saying data on a laptop is pretty normal but that data should be protected.

The only issues I see in this case are:
1. Disk was not encrypted which seems to be against company policy
2. The Laptop had the opportunity to be stolen in the 1st place.

I'm just not clear on the task that would require that data that would be fine outside the office.

As another example:

Customer relations team member is off sick for a day and signs into the Eir network away via VPN from home to respond to customers complaint rather than wait another few days while they are off sick or back pile the load onto someone else in the office.

goes for lunch and forgets to sign out of VPN. Laptop stolen whilst on and open.Access to as much customer data as they want.... Temporarily mind you.

Lots of admin work gets done in these scenarios and is honestly quite common. So many scenarios this can happen to. 

You would be shocked at how easy any customer service agent can see your details.


Lastly to add. Even if this laptop was taken for 24 hours missing and they got it back. Even if the laptop was never turned on. Even if no access was made to your data, they still must inform you no matter what. So the language is scary saying" It has come to our attention your data may have been compromised"

When in fact contextually it never even came close to it. GDP laws and requirements of language makes it sound really more nasty than it probably is.

ArrBee

McGaggs wrote: »

Pelvis wrote: »

Work laptops should not be taken off site??? Completely missing the point of a laptop, aren't you? If you enforce that policy then you force employees to use personal computers when working from home, which would be far more of a security risk.

If a company has employees working Fromm home, they'd have them on their own PC using a VPN.

Thats an incorrect speculation.
That is a greater risk for virus infection.

sexmag

McGaggs wrote: »

ArrBee wrote: »

There are many possible reasons.  and the fact that there are many which are not in any way sinister or breaches themselves causes me to think that the fact that data was on a laptop in the 1st place is not the issue here, or worth getting worked up about.

For example, 
Companies tend to use laptops instead of desktop PCs this century.  Any data you work on during the day is likely stored on said laptop at least temporarily for several reasons. (network performances causes issues in client apps when working on remote data sets; the ability to roam on the laptop whilst working locally and off the network; cloud storage auto syncing locally; etc)
It is impractical at a personal and business level to wipe all customer data from the local disk at the end of each day, and re-sync that in the morning or as you need to use it.  I know of no data protection law that prohibits the storing of such information on a local storage while allowing that same data on central storage.

Perhaps the data was there specifically to be worked on "from home" that evening.  Perhaps it was there because it had been worked on earlier in the day.
I don't think it is relevant.



Believe me, I am no defender of Eir and the way the conduct business and I am acutely aware of how many companies mistreat data and do not understand privacy/protection.  
I'm not dismissing the situation completely as a "ahh sure it was only minor".  Instead I'm breaking it down and saying data on a laptop is pretty normal but that data should be protected.

The only issues I see in this case are:
1. Disk was not encrypted which seems to be against company policy
2. The Laptop had the opportunity to be stolen in the 1st place.

I'm just not clear on the task that would require that data that would be fine outside the office.

Many traveeling sales men have laptops and lots and lots of customers data on it, clients,their orders,locations etc, i still dont know why you can understand why a work laptop would be off site.....also they are not oblidged to tell you either other than to let you know what happened

ArrBee

McGaggs wrote: »

ArrBee wrote: »

There are many possible reasons.  and the fact that there are many which are not in any way sinister or breaches themselves causes me to think that the fact that data was on a laptop in the 1st place is not the issue here, or worth getting worked up about.

For example, 
Companies tend to use laptops instead of desktop PCs this century.  Any data you work on during the day is likely stored on said laptop at least temporarily for several reasons. (network performances causes issues in client apps when working on remote data sets; the ability to roam on the laptop whilst working locally and off the network; cloud storage auto syncing locally; etc)
It is impractical at a personal and business level to wipe all customer data from the local disk at the end of each day, and re-sync that in the morning or as you need to use it.  I know of no data protection law that prohibits the storing of such information on a local storage while allowing that same data on central storage.

Perhaps the data was there specifically to be worked on "from home" that evening.  Perhaps it was there because it had been worked on earlier in the day.
I don't think it is relevant.



Believe me, I am no defender of Eir and the way the conduct business and I am acutely aware of how many companies mistreat data and do not understand privacy/protection.  
I'm not dismissing the situation completely as a "ahh sure it was only minor".  Instead I'm breaking it down and saying data on a laptop is pretty normal but that data should be protected.

The only issues I see in this case are:
1. Disk was not encrypted which seems to be against company policy
2. The Laptop had the opportunity to be stolen in the 1st place.

I'm just not clear on the task that would require that data that would be fine outside the office.

Any task that would normally be performed on the data while "at work" can be performed on the data while "not at work".
As I mentioned, that is only 1 scenario where the data would be validly stored on a laptop.  There are other scenarios.

It sounds to me that your main point is that no one should be working outside of the office, thereby not ever taking a laptop outside of the office.
This is an unrealistic position to have in the modern world.
Even if it were the case, there will be situations where the data is still on a laptop and by it's nature of being portable, may be in a public place.

Mebuntu

I'm more interested in hearing in what circumstances the laptop was stolen. Was it due to negligence? Is Eir legally obliged to provide full details?

Henry Ford III

I was one of the 37,000 apparently.......

Dear HFIII,

I am writing to you to inform you of the loss of personal data of a number of eir customers. This issue has arisen as a result of the theft of one laptop, which was immediately reported to the Gardai. A comprehensive internal investigation and security review has been launched and the matter has been reported to the Office of the Data Protection Commissioner.

Unfortunately the stolen laptop contained a file containing some or all of the following information specifically relating to you: name, email address, eir account number and contact number. No financial data relating to you was stored on the laptop in question, or any other personal data.

While there is no evidence at this time that the data has been used by a third party, as a precaution we are writing to all those affected and advising them to be extra vigilant.

On behalf of eir I would like to apologise for any concern this may cause you.

eir treats privacy and protection of all data extremely seriously and our policy is that all company laptops should be encrypted as well as password protected. In this case the laptop had been decrypted by a faulty security update the previous working day, which had affected a subset of our laptops and has since been corrected.

More information in relation to this matter is available at www.eir.ie/customer-announcement

Yours sincerely

Catherine Lonergan
eir Consumer and Small Business

Henry Ford III

Seems there are avenues open to seek redress and compensation.......

gctest50

Henry Ford III wrote: »

Seems there are avenues open to seek redress and compensation.......

.

gazzamc

Just got the email today stating they had a breach and my information was among those lost. Yesterday was the end of my contract with Eir. Fitting end to a poor service. I hope they get a hefty fine from breaching GDPR. And if I start getting dodgy calls, emails I'll be in contact with them soon. 

nim1bdeh38l2cw

What sort of security update would disable encryption? Coincidentally it was applied on the day before the laptop was stolen...

Do Eir actually expect us to believe this nonsense?

GarIT

gctest50 wrote: »

Where does it say it was OS encryption stuff?






Where does it say it was OS encryption stuff?





Where does it say it was OS encryption stuff?




telpis

There is no encryption that would be affected by an update if it wasn't part of the OS, the alternate would be full disk encryption.

If it's full disk encryption and it was affected by an opdate that was. A complete failure of IT and there needs to be some sacking for letting a laptop back into use after a failed update.

If it was OS level IT should have been handling that too.

And based on the wording I don't think it was individual file encryption.

An update affecting encryption is just barely plausable but incredibly unlikely, it's as likely as winning the lotto, and then that happening on a laptop that gets stolen it's one of the most far frtched story I've heard in a long time.

sexmag

Henry Ford III wrote: »

Seems there are avenues open to seek redress and compensation.......

How is there avenue for compensation? What damages or losses have you financially sustained by this?

gazzamc wrote: »

Just got the email today stating they had a breach and my information was among those lost. Yesterday was the end of my contract with Eir. Fitting end to a poor service. I hope they get a hefty fine from breaching GDPR. And if I start getting dodgy calls, emails I'll be in contact with them soon. 

How will you prove any dodgy emails or calls came from their data breach of this laptop?