Data Protection Breach

Manner16

Long story that seems to be a recurring trend when it comes to Eir.

2 weeks ago at about 7 o clock when on a call my service dropped. I assumed it might just be a network issue. The signal didn't return in 30 mins so I went to the carphone warehouse where they told me that my number had been switched to a different sim card (Which I hadn't done myself)

Carphone Warehouse switched my number back to a new sim card (Where I had to give photo ID and a special date that was recorded on my account)

As the Eir call centre was closed at this stage I waited until Friday morning to call. When I called they advised me that because the switch had happened in one of their stores they couldn't help me on the phone. So at that stage I left work and made my way to the Eir store on Henry Street in Dublin. After waiting for 30 mins one of their staff members was able to tell me that the switch was allowed to happen in one of their stores without any verification of personal details or asking for photo ID. The excuse for them letting this happen was that "She was a new member of staff and hadn't been fully trained in yet"

At this point I was promised that the manager was going to lodge this with the Data Protection commissioner and he would call me back with a reference number. (I'm still waiting on this call)

That Friday evening I called the call centre again to raise a complaint about this issue where I was again fobbed off with an agent stating "They didn't use any of your data or calls so you should be happy" I raised the complaint myself on the website where it states you will receive a call within 72 hours. (I'm still waiting on this call)

I've had to leave work twice to get this sorted. I have had numerous calls into eir sitting on hold to be told they have no information for me. They seem incompetent at doing their job and don't seem to want to take charge of a clear data protection breach on their behalf.

I've raised the complaint myself now with the DPC and have also have received legal advice on this issue.

I've 5 months left on my contract but at this stage I'm switching my services from them from tomorrow onwards.

I couldn't advise people enough to stay away from Eir. The hassle I've had the last 2 weeks with them has been a nightmare.

ytpe2r5bxkn0c1

Were you on liveline recently?

Manner16

Yes on Monday afternoon.

drunkmonkey

You will end up in collections with Eir if you have remaining months on your contact and are refusing to pay, they may not allow your number to port before you complete your contact obligations. Be aware of that before you sign up to a new contact as you'll be tied to that as well.
Comreg is the communications regulator, your going at this whole thing arseways.

Manner16

Spoke to COMREG already and there is nothing they can do as I got my number back and they don't deal with data protection breaches. But I appreciate your condescending reply!

drunkmonkey

Off you go, sign up the new contact. Default on Eir. Best of luck ever moving networks again after your next move.

Manner16

Thanks for your concern

.......

drunkmonkey wrote: »

Comreg is the communications regulator, your going at this whole thing arseways.

The Data Protection Commissioner is the correct office for data breaches.

Phileas Frog

Where's the Data Protection breach?

Seth Brundle

Phileas Frog wrote: »

Where's the Data Protection breach?

Obviously they aren't using appropriate precautions with a customers sensitive data.
It was used by someone who didn't know what they were doing.
It was used in a manner that was not authorised.
etc.

dudara

Can you outline where you feel your personal data was breached? I’m not seeing it right now.

I can see that there was an error in a process, which they have since rectified. But I’m not sure what more is needed.

Manner16

Phileas Frog wrote: »

Where's the Data Protection breach?

They allowed a person to go into their store and switch my mobile number onto another sim card without doing any DPA checks. They didn't confirm that it was me that was switching the number

.......

Phileas Frog wrote: »

Where's the Data Protection breach?

They basically allowed someone else take her phone number, and this could have led to all manner of private sensitive information being available to that person, from text messages to voice mails to phone calls.

Its certainly a data protection issue IMO.

Did the other person have your name? Was it simply a mistake in keying the number to the sim card or something?

Manner16

....... wrote: »

They basically allowed someone else take her phone number, and this could have led to all manner of private sensitive information being available to that person, from text messages to voice mails to phone calls.

Its certainly a data protection issue IMO.

Did the other person have your name? Was it simply a mistake in keying the number to the sim card or something?

So Eir have been fairly cute with the info they've given me on what actually happened in the store. All I know is that it was done without checking who it was that was actually making the switch.

Definitely wasn't a mistake from what I've been told

Manner16

From the liveline call I had the other day the exact same thing happened to another person. They where a bit more unlucky than I was. Whoever switched the number had the persons card details also and was able to make purchases through their bank account as they where able to get a verified by visa code texted to the new sim card

Dav010

Manner16 wrote: »

From the liveline call I had the other day the exact same thing happened to another person. They where a bit more unlucky than I was. Whoever switched the number had the persons card details also and was able to make purchases through their bank account as they where able to get a verified by visa code texted to the new sim card

How did they get that persons name, card number, expiry date and SVV from their phone number? I have hundreds of contact numbers in my phone, I can’t buy anything online with their mobile number.

What personal data stored by Eir did the other person get, beyond a phone number? Are you accusing an employee of CW of doing it to commit fraud?

Manner16

Dav010 wrote: »

How did they get that persons name, card number, expiry date and SVV from their phone number? I have hundreds of contact numbers in my phone, I can’t buy anything online with their mobile number.

I didn't say they got it from their phone number. I said they had card details for the customer also.

Dav010

Manner16 wrote: »

I didn't say they got it from their phone number. I said they had card details for the customer also.

So you saying someone in the shop did it?

That would have to be the worlds dumbest criminal, a very small pool of suspects, log in records on shop computer etc. No doubt the Gardaí were easily able to identify the employee.

But back to you, what personal data was given away?

L1011

Number hijacking to defeat SMS based "two factor" authentication is becoming more and more common so I wouldn't write that off.

I would be fairly certain the DPC will see this as a data breach

drunkmonkey

Yea some networks have completely clamped down on it. This sounds like a store error though seen as they admitted it in store.

.......

drunkmonkey wrote: »

This sounds like a store error though seen as they admitted it in store.

Error alright but that error constitutes a data breach and OP is correct to follow up with DPC.

Companies like eir might take a bit more care with customer sensitive data if they get slapped with large fines for data breaches. Too much of a "whatever" attitude from a lot of them.

drunkmonkey

Eir are constantly slapped, water off a ducks back to them they really don't give a crap.

.......

drunkmonkey wrote: »

Eir are constantly slapped, water off a ducks back to them they really don't give a crap.

The possible fines that one can be slapped with since GDPR are far more significant than they used to be.

Phileas Frog

This could be pertinent. https://www.independent.ie/irish-news/news/dublin-man-20-wanted-by-us-authorities-in-connection-with-2-5m-cryptocurrency-fraud-arrested-by-gardai-38098424.html

TheChizler

If it was an error it's a common one in eir stores. Twice I've had to get replacement SIMs and never had to provide any proof of identity. The first time I just gave my number and name. The second time I just gave my name, and the person in store was good enough to ask was X my number and was Y my address, to which I just said yes and they handed me a new SIM.

You could cause serious trouble for someone with that information and access.

ifah

This is most relevant here : https://extra.ie/2019/03/09/news/irish-news/gardai-sim-card-swap-scam

Sim Swap scams or attacks are becoming more common as someone mentioned above - fraudsters are using the process to bypass 2fa on mobile banking apps.

longgonesilver

OP what did the Guards say when you reported this incident?

The CCTV footage from the store might help them with a different case even if nothing happened on yours.

You can check where your gmail account was !ogged onto, and the device used. Also check spam and deleted folders for suspicious activity.

Is it possible to get texts resent from the time you were locked out?

Manner16

Just an update on this situation.

Have had a call from an Eir rep in the complaints team. They have accepted the complaint that I have made after their investigations.

They have cancelled my contract and offered me 4 months free service while I decide where I want to switch my services to.

I could probably take this further but have been happy enough to accept the offer and move on from it now.