Irish energy provider Bord Gáis says that a stolen laptop with the account details, including bank records, of 75,000 customers would be very difficult to get into, regardless of the fact that the data is unencrypted. The laptop is one of four stolen during the early hours of June 5, from Bord Gáis offices on Foley Street in Dublin.
Stolen laptop contained 75,000 unencrypted customer records (IMG: Bord Gáis Headquarters Cork)
“That's bad enough, [that there were four laptops stolen] but best practices in IT security mean that the sensitive customer data shouldn't have been stored on a laptop in the first place – it should have been digitally vaulted or at the very least encrypted locally and accessible only on a need-to-use basis,” said Mark Fulbrook, Cyber-Ark's UK and Ireland Director while discussing the incident.
Whilst there is a case for allowing access to customer records remotely, the information should never include customer payment details, and certainly not their bank account information unless through a secure channel with full authentication, encryption and security measures in place such as digital vaulting, Fulbrook added.
Speaking to RTÉ radio, Managing director of Bord Gáis Energy Dave Bunworth said that the laptop would be difficult to get into, despite it not being encrypted. “I don’t want to minimize the risk but this is not a normal laptop that you could break into that easily,” he said. This is because of the need for a username and password to access the data.
Bunworth might be secure in the knowledge that there was a username and password in place to protect the data, but that does not mean that any of the 75,000 people should breathe a sigh of relief. How long would a criminal need to work before they could crack that password, considering that they have complete physical access to the stolen laptop?
Bord Gáis started contacting customers and banks last week, informing them of their options. Customers who were listed in the records on the stolen laptop are being encouraged to monitor their bank accounts for suspicious transactions.
“This latest data breach shows that, despite countless previous incidents, companies still haven’t learnt the importance of protecting customer data. Bord Gáis needs to make it clear why it was necessary for a significant number of customer records to be on an unprotected machine,” said Jamie Cowper, Director of Marketing EMEA, at PGP Corporation.
Why the records were on a laptop of all things is unknown, the lack of encryption was explained as a “flaw in the system,” according to statements from Bunworth to The Irish Times.
“We have had an aggressive system of encrypting since last July and this computer should have been encrypted before it was given to the staff member; it was a flaw in the system,” he told the paper, shortly before he commented about the security of the username and password combination.
“…to store customer bank account data unencrypted on a laptop goes against all known IT security procedures. It's a very serious procedural error,” Fulbrook said.
Bord Gaís has not recovered the laptops, and according to reports, initial thoughts into who might have stolen them have turned up no creditable leads.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Comment on this Story