Four laptops belonging to Bord Gais in Ireland (I think that's Irish for "gas board") were stolen. One of them was not encrypted and held the bank account details of 75,000 customers. It looks like the lack of data protection, however, was an oversight, since there was already a program in place for installing data encryption software on the energy company's laptops.
The four laptops were stolen on June 5 from Bord Gais offices in Dublin, but customers were not alerted, according to The Irish Times, because the gardai (the police) had a lead on who may have stolen the computers, and it could have compromised the investigation. A public announcement was made today (one assumes the investigation is over), and customers will be contacted individually next week. It sounds like most of the 75,000 affected were customers who had switched over from the Electricity Supply Board (Bord Gais has recently gone into the electricity business, and had a pretty popular campaign to push its services). One thing to note is that Bord Gais was not targeted specifically: other buildings in the adjacent area to their offices were burgled as well.
The four laptops were stolen on June 5 from Bord Gais offices in Dublin, but customers were not alerted, according to The Irish Times, because the gardai (the police) had a lead on who may have stolen the computers, and it could have compromised the investigation. A public announcement was made today (one assumes the investigation is over), and customers will be contacted individually next week.
It sounds like most of the 75,000 affected were customers who had switched over from the Electricity Supply Board (Bord Gais has recently gone into the electricity business, and had a pretty popular campaign to push its services).
One thing to note is that Bord Gais was not targeted specifically: other buildings in the adjacent area to their offices were burgled as well.
Labour Party spokeswoman Liz McManus has noted that "the loss of four laptops, including containing the details of some 75,000 customers may be excusable, but the abject failure to encrypt the customer details on the computer, is not," [irishtimes.com] I agree...but I also disagree. It's true that encryption software should have been installed on the one computer, at least. And, when you consider the type of information on that one computer, it should have been installed on the double. But, it's not as if Bord Gais was not implementing encryption. It's been doing so since July of last year; this particular computer just happened to slip through the cracks. I don't know how many computers Bord Gais owns, but if they've got more than one thousand of them, I can see how it took them a while to encrypt all of them. Encrypting a computer is not that hard; do it for a group of computers, and it becomes a logistical nightmare. Not only must one encrypt the computer (which requires someone sitting in front of the computer), one must also keep track of all the different encryption keys. And, how is one supposed to tell whether a particular computer was not encrypted? Now, with a centrally managed encryption software suite like AlertBoot, which was designed with such problems in mind, it's pretty simple. But, depending on which encryption software Bord Gais decided to go with (I can officially say that it's not AlertBoot), it could have taken them longer than a year to protect all of their corporate laptops. This tends to be the case when people choose an encryption package that was not really designed for corporate settings, where a great number of computers must be protected. So, while not having that one laptop computer encrypted is inexcusable, it's also understandable: it was just too soon to have all loose ends tied up.
Labour Party spokeswoman Liz McManus has noted that "the loss of four laptops, including containing the details of some 75,000 customers may be excusable, but the abject failure to encrypt the customer details on the computer, is not," [irishtimes.com]
I agree...but I also disagree. It's true that encryption software should have been installed on the one computer, at least. And, when you consider the type of information on that one computer, it should have been installed on the double.
But, it's not as if Bord Gais was not implementing encryption. It's been doing so since July of last year; this particular computer just happened to slip through the cracks.
I don't know how many computers Bord Gais owns, but if they've got more than one thousand of them, I can see how it took them a while to encrypt all of them.
Encrypting a computer is not that hard; do it for a group of computers, and it becomes a logistical nightmare. Not only must one encrypt the computer (which requires someone sitting in front of the computer), one must also keep track of all the different encryption keys. And, how is one supposed to tell whether a particular computer was not encrypted?
Now, with a centrally managed encryption software suite like AlertBoot, which was designed with such problems in mind, it's pretty simple.
But, depending on which encryption software Bord Gais decided to go with (I can officially say that it's not AlertBoot), it could have taken them longer than a year to protect all of their corporate laptops. This tends to be the case when people choose an encryption package that was not really designed for corporate settings, where a great number of computers must be protected.
So, while not having that one laptop computer encrypted is inexcusable, it's also understandable: it was just too soon to have all loose ends tied up.
Related Articles and Sites:http://www.rte.ie/news/2009/0617/bordgais.htmlhttp://www.irishtimes.com/newspaper/breaking/2009/0617/breaking70.htmhttp://breakingnews.iol.ie/news/ireland/energy-customers-bank-details-on-stolen-laptop-415271.htmlhttp://news.bbc.co.uk/2/hi/uk_news/8106231.stm