Data Breach

Seth Brundle

I don't think you have to prove damages in the same way that you would for say personal injury. Art 82 says that any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
This is an EU Regulation so trumps domestic legislation (someone mentioned the previous Avt).
It doesn't specify specific injuries so anxiety or stress would presumably be acceptable.
The directive doesn't quantify the amount but does give the right to compensation for each and every person affected by the breach. It could be that each person is given €0.01 or €1M: that would be for a court to decide.

Sardonicat

McGaggs wrote: »

CeilingFly wrote: »

Funny,  most people throw bills into their bin without a thought , but get all worked up over fairly basic information is in a data breach.

Its relatively minor compared to the major data breaches from places like tk maxx, clarks shoes and others where credit card numbers and full customer details taken - yet the whiners weren't on boards about that???

Who the hell gets paper bills from eir?

Pretty easy to do a chargeback on a credit card.

I do! I insist on paper bills from all utility/providers.

sexmag

Seth Brundle wrote: »

It doesn't specify specific injuries so anxiety or stress would presumably be acceptable./

Pressumming it is acceptable (although as i quited earlier on non material damage it doesn't fit that description)again this would need to be proven I.e. by doctors confirmation of all applicants (assuming this is the angle they are all going for and again 37k people all stressed because their email was stolen is unfathomable) also Eir would be well within their right to challenge this and have an independent doctor assess the claimants, this would also take years and ultimately flood the court system.

Ultimately a judge more than likely won't entertain such a time wasting class action and dismiss it

But them I'm not a judge so who knows what would happen

circadian

The scenario for me, from experience is probably one of the following;

1. In preparation for GDPR a company rollout of encryption was enforced. This particular user decided to turn it off/bypass it because it was annoying.

2. This is a management level employee that outright refused encryption for whatever reason of technical enlightenment. IT team would hopefully be smart enough to have all this in writing.

3. Tech support turned off encryption to troubleshoot something, never bothered their arse turning it back on.

4. Was in fact, a personal laptop with records emailed and stored there to work at home because they think their work laptop is shyte.

Johnboy1951

circadian wrote: »

The scenario for me, from experience is probably one of the following;

1. In preparation for GDPR a company rollout of encryption was enforced. This particular user decided to turn it off/bypass it because it was annoying.

2. This is a management level employee that outright refused encryption for whatever reason of technical enlightenment. IT team would hopefully be smart enough to have all this in writing.

3. Tech support turned off encryption to troubleshoot something, never bothered their arse turning it back on.

4. Was in fact, a personal laptop with records emailed and stored there to work at home because they think their work laptop is shyte.

Should any of those be fact then some heads need to roll, and a huge fine imposed on eir.
 

STB.

EIR Press Release wrote:

Eir treats privacy and protection of all data extremely seriously and our policy is that all company laptops should be encrypted as well as password protected. In this case the laptop had been decrypted by a faulty security update the previous working day, which had affected a subset of our laptops and was subsequently resolved.

The first line of the press release is obviously written by one of the dunces that thinks nothing of carrying around unencrypted customer data no doubt through ignorance of Information security in the first instance. They clearly don't take data protection seriously.

What kind of organisation allows someone to copy 37000 records from the main information server to carry around mobile. What position did this cavalier individual hold ?

What was so special about these 37000 customers that such detail was extracted to a laptop at all ?

Finally, it's an insult to my intelligence that they couldn't be upfront rather than say that the laptop (if it was a laptop and not something else) was decrypted by a failed update the previous night. Even if such an unlikely failure arose it wouldn't result in decryption and even if it did it was unwise to be knowingly carrying this around.

This smells to high heaven and I'd say it was more than 37000 customers.

I hope the fines are crucifying.

Seth Brundle

STB. wrote: »

Finally, it's an insult to my intelligence that they couldn't be upfront rather than say that the laptop (if it was a laptop and not something else) was decrypted by a failed update the previous night. Even if such an unlikely failure arose it wouldn't result in decryption and even if it did it was unwise to be knowingly carrying this around.

A faulty security update did not decrypt the laptop!

Edit: in the remotest possibility (i.e. in tthe g3 land of unicorns) that something went wrong, how did Eir's IT pre-release testing of the security update not reveal tha it was faulty?

STB.

Seth Brundle wrote: »

A faulty security update did not decrypt the laptop!

I know !

What kind of flimsy IT policy allows the extraction of such a block of records in the first instance. They need to lock all that down.

I'd suspect that its more likely a disgruntled employee with elevated rights skedadled with a load of data.

Let's see what the DP comes up with.

Seth Brundle

STB. wrote: »

I'd suspect that its more likely a disgruntled employee with elevated rights skedadled with a load of data.

Nope. It was more likely a rushed press release that sought to blame IT without coming up with a plausible reason when looked at by IT experts.
The most likely reason the laptop wasn't encrypted when it was stolen was because it had never been encrypted!

STB. wrote: »

Let's see what the DP comes up with.

I won't hold my breath!

Grab All Association

I’m one of the affected customers. Just got the email earlier today.

If it was a random opportunistic theft then it’s most likely the thief will wipe the machine and sell it/scrap it.

Orchestrated theft by an employee/scammer(s) then that’s worrying.

If what they are saying is true that it’s only limited to name, email, account number and phone then

1. Eir need to change customer account numbers ASAP

2. Offer change of phone number to those who want to avail of it free of charge

3. Change of email address for login to myeir
I tried to change this earlier myself and couldn’t.

4. Introduce a 4-6 digit pin to all affected customers accessing eir support over the phone.

5. Compensation of some sort to the “37000” customers credited on their bill, free upgrade to higher speeds or an exit from contract as a goodwill gesture.

6. Cover costs for ICB/credit insights (aka experian which eir records payments on) credit checks.

This must be the second or third time this has happened. I know Meteor customers were affected by something similar a number of years ago. A laptop containing copies of passports wasn’t it?

irishgoat

I'm one of the effected too. When I got the email I just nodded my head. They are the worst company I've ever had to deal with in my life so this didn't really surprise me. I think eir hire down and outs and just put them on the phones and in the offices, must be really low pay or something and just don't care how they work with customers.

I really hate eir so much.

sexmag

Grab All Association wrote: »

I’m one of the affected customers. Just got the email earlier today.

If it was a random opportunistic theft then it’s most likely the thief will wipe the machine and sell it/scrap it.

Orchestrated theft by an employee/scammer(s) then that’s worrying.

If what they are saying is true that it’s only limited to name, email, account number and phone then

1. Eir need to change customer account numbers ASAP

2. Offer change of phone number to those who want to avail of it free of charge

3. Change of email address for login to myeir
I tried to change this earlier myself and couldn’t.

4. Introduce a 4-6 digit pin to all affected customers accessing eir support over the phone.

5. Compensation of some sort to the “37000” customers credited on their bill, free upgrade to higher speeds or an exit from contract as a goodwill gesture.

6. Cover costs for ICB/credit insights (aka experian which eir records payments on) credit checks.

This must be the second or third time this has happened. I know Meteor customers were affected by something similar a number of years ago. A laptop containing copies of passports wasn’t it?

I was going to quote each part of your post to say how ridiculous that is but I wouldn't waste me time,you have absolutely no idea what you're talking about but too humour you I've decided to do so...

To change a phone number of 37k would take months,to create 37k new account numbers would take months.
To change an email address I actually agree with, should be an option in fairness.
4-6 digit pin, I know people who work there,the majority of customers hardly have their account number to hand let alone a pin a number,also another blockade to access someone's account will just piss them off.
Compensation?....for what? Look up the definition of the word,this country thinks their enititled to money for any little wrong doing, compo culture gone made.
ICB credit? How are they effected at all,did you read what data was lost?

Grab All Association

sexmag wrote: »

I was going to quote each part of your post to say how ridiculous that is but I wouldn't waste me time,you have absolutely no idea what you're talking about but too humour you I've decided to do so...

To change a phone number of 37k would take months,to create 37k new account numbers would take months.

Suck to be eir then wouldn’t it? Why should customers be potentially put at risk from scams/cold calls because an employee was careless not to secure their property?
If it takes months then so be it.

4-6 digit pin, I know people who work there,the majority of customers hardly have their account number to hand let alone a pin a number,also another blockade to access someone's account will just piss them off.

Works for their bill pay mobile customers. If you don’t have the sim pin you don’t get through to customer care.

Compensation?....for what? Look up the definition of the word,this country thinks their enititled to money for any little wrong doing, compo culture gone made.

This is the second time this a breach like this has happened to this company in less than 8 years. If customers don’t feel comfortable staying with them then they should be allowed to leave without penalty.

ICB credit? How are they effected at all,did you read what data was lost?

Again this has happened twice In under 8 years. Would you honestly trust them that no other information (name addresses, DOB, ID financial etc) is on that laptop? Once is too much. Twice is just sheer incompetence. Iirc it took the meteor reps at the time days to confirm people’s passports were on the laptop missing.

irishgirl19

My data was breached. I want to cancel my account now after this but I am in contract. Will Eir allow us to cancel without early exit fees due to the circumstances?
I am with Eir mobile

ArrBee

irishgirl19 wrote: »

My data was breached. I want to cancel my account now after this but I am in contract. Will Eir allow us to cancel without early exit fees due to the circumstances?
I am with Eir mobile

I think there is a strong argument for allowing contracts to be cancelled without penalty.
But, probably not clear cut....

Henry Ford III

I've got a holding email from a large firm of solicitors specialising in data protection.

This could get interesting yet......

henryforde80

STB. wrote: »

The first line of the press release is obviously written by one of the dunces that thinks nothing of carrying around unencrypted customer data no doubt through ignorance of Information security in the first instance. They clearly don't take data protection seriously.

What kind of organisation allows someone to copy 37000 records from the main information server to carry around mobile. What position did this cavalier individual hold ?

What was so special about these 37000 customers that such detail was extracted to a laptop at all ?

Finally, it's an insult to my intelligence that they couldn't be upfront rather than say that the laptop (if it was a laptop and not something else) was decrypted by a failed update the previous night. Even if such an unlikely failure arose it wouldn't result in decryption and even if it did it was unwise to be knowingly carrying this around.

This smells to high heaven and I'd say it was more than 37000 customers.

I hope the fines are crucifying.

In any large company people have customer data on laptops, phones. This is fact for every large company.

The only issue here is lack of encryption software which is one of three things:
#using lacklustre old encryption software with no reporting server so they have no idea if the laptop was encrypted or not.
#Laptop was never encrypted.
#Tried to uninstall current encryption software and deploy a new updated encryption package(Lazy and should never ever be done and can fail).

If they had proof the laptop was encrypted we wouldn't even hear about this.

AndrewJRenko

henryforde80 wrote: »

In any large company people have customer data on laptops, phones. This is fact for every large company.

Speak for yourself.

Any large company using Windows Direct Access or Citrix has NO data on laptops or phones.

Henry Ford III

UPDATE


A firm of solicitors is taking the case on my behalf against Eir on a "no foal no fee basis".

They say they have a good number of customers whose data was breached signed up already, but they are looking for more as this will reduce costs per capita.

Please drop me a pm if you are also affected, and I'll happily pass on the contact details.

paddyjoe183

I am also one of the effected, I have logged a complaint with the Data Protection commission in relation to it to see what they have to say about it. 

I suggest everyone do the same to stop this happening again.

Here's the link to the complaints Data Breach Form

Henry Ford III

Solicitor has contacted Eir, who have accepted responsibility for the data breach.

Requests for info are ongoing.

Looks like the case is now headed for the courts. If another case gets heard before mine though the result is likely to make an important precedent......

Stay tuned.