Telecoms companies Eircom and Meteor have been ordered to pay €15,000 each to charity after the details of over 10,000 customers were compromised when two unencrypted laptops were stolen.
The companies were prosecuted by the Data Protection Commissioner before Dublin District Court today in relation to the data breach involving two laptops stolen from Eircom’s offices at Parkwest in Dublin between December 28th, 2011 and January 2nd, 2012.
The court heard information on the computers included customer details such as names and addresses and copies of proof of identity documents such as driving licences, passwords and utility bills. This had potentially exposed them to identity theft.
Each company pleaded guilty to three charges relating to failure to take appropriate security measures to protect the personal information on the laptops, of failing to notify the commissioner of the breach without undue delay, and of failing to notify their customers of the theft of their information without undue delay.
An initial breach report to the commissioner’s office in February indicated that the number of affected customers was 454 in the case of Meteor and 6,597 in the case of Eircom’s Emobile customers. Following “intensive” contact between the commissioner and the companies, an updated breach report submitted on March 15th revealed that the numbers were greater than originally thought.
The revised figures were 3,944 Meteor customers and 6,295 Emobile customers affected by the data breach.
In relation to 142 of the Emobile customers, the personal data in question was in the form of customer application forms including proof of identity, eg copy of passport, driving licence, national identification, bank account/credit card details, financial statements and utility bills.
The other 6,153 cases contained details such as name, address, telephone and account number.
Assistant data protection commissioner Tony Delaney told the court the laptops had been password protected but not encrypted, which was a “key failing” by the companies. Mr Delaney said this was a “basic requirement” to protect the personal information on the machines.
“Personal data in the wrong hands is lethal,” Mr Delaney said. “The threat of identity theft remains, unfortunately, for the affected parties.”
Judge O’Neill said he believed a €15,000 donation to charity by each company would be appropriate in the circumstances.