Data Breach: The case of eir

data breach

Unless you’ve been on a digital detox this past year, you would have heard of GDPR (the new stricter data protection laws that came into force in the EU last May). It means that your personal data must be protected more stringently and consent to process data must be more visible — have you ­noticed all the ‘I Agree To Consent’ (sometimes annoying) pop-ups on every new website you visit? Under the legislation, now a data breach is a serious offence and companies subject to violation could face significant fines.

What is a Data Breach?

A data breach or leak: is when a person gets unauthorised access to a secure database of information, it’s usually very serious if the data that has been accessed is not normally found on public domains, an example of personal data that would not normally be public could be your PPS number or an online banking pin number. Or, any information leaked that would lead to unauthorised access to your financial accounts is big trouble!

Often in the media, you will read stories of cyber attacks but in many cases, it’s human error due to policies or procedures not being adhered to that cause these data breaches in companies. In the chart below, an investigation uncovered that 29% of breaches in healthcare were a result of employee errors. Employee breaches have resulted in some of the worst breaches recorded, in some cases costing organisations millions.

data breach eir

What happened to eir on the 12th of August?

In the case of eir a laptop was stolen from a public place on Sunday the 12th of August. eir have not disclosed details on why a company laptop was left in a public exposed location, we could only assume that an employee may have been transporting the laptop.

The laptop was password protected but not encrypted; both encryption and password protection is required for company data under GDPR rules. According to eir, all company laptops should be encrypted but “in this case, the laptop had been decrypted by a faulty security update the previous working day.”

Statement on their website reads:

“eir has reported a data breach of personal details for up to 37,000 customers to the Data Protection Commissioner. The data consists of names, email addresses, phone numbers and eir account numbers. This is a result of the theft of one laptop, which was stolen ‘off’ premises. No other personal or financial data relating to customers was stored on the laptop in question.”

How is data commonly breached?

In the case of eir, the laptop was stolen, the thief may have only wanted the laptop to possibly sell rather than intentionally stealing the laptop to gain access to the data stored. But, with the laptop whereabouts now unknown this poses a high risk of the data falling into the wrong hands.

In more deliberate cyber attacks, employees can unwittingly cause a breach by opening fraudulent emails: this is a common attack in companies. Other examples of data breaches are a company sending your data to someone else without your consent, or altering your personal data.

Why do people steal data?

Personal data can be bought and sold on a cybercriminal black market, some report that the hacker data market is more profitable than the illegal drug trade. And, it’s not just credit card information we have to worry about, social media account information has become even more valuable to criminals; this information can be used as ‘digital keys’ to unlocking difficult and encrypted passwords.

Cybercriminals will use personal data to create fake identities, this is a growing crime in Ireland and is becoming a problem for authorities, criminals will then use fake identities to commit fraud and theft.

How would I be notified of a data breach?

Under the new GDPR legislation, the company affected must inform the Data Protection Commissioner within 72 hours of a breach,  if the informed breach poses a risk to individuals (employees or public) they must also be notified without delay.

The company will inform the affected individuals through the provided contact information on their database, these individuals will then receive either an email, postal letter or phone call to notify them of the breach. Serious breaches are very often reported in the media.

Signs that your data might have been stolen

The most common indications that your data may have been stolen and is now being used fraudulently:

  • Unusual accounts showing up on your credit/debit card billing information or bills for items that you didn’t purchase
  • Receiving a statement for an unusual credit card account
  • Unusual withdrawals showing on bank statements
  • Suddenly receiving lots of spam emails or calls
  • You receive a text message containing a PIN number for an unknown service, this is a two-factor authentication code.

If you receive a letter from any company that has been exposed to a data breach asking for your bank account details, never hand over this information and contact the company to double check that the request is genuine.

What to do next:

  • If you think any of your online accounts have been hacked change your passwords immediately
  • Contact your bank about unusual charges

After a serious breach, a company is investigated by the Data Commissioner and people affected may also be entitled to compensation. Contact a solicitor for more advice.