The personal information of almost 900 customers has been lost by an employee of Bank of Ireland.
The details of 894 customer accounts, phone numbers and addresses were copied on to a USB stick which was subsequently lost. Bank of Ireland says it has informed most of the people affected by the data breach, and will monitor their accounts for unusual activity.
It has also been revealed that the information was not encrypted despite this being required by the bank's policies and procedures. In a statement the bank said “no financial information in relation to customers' accounts was on the device” and it had no reason to believe the device had “fallen into the wrong hands.”
The Data Protection Commissioner is investigating the loss, though Gary Davis, deputy Data Protection Commissioner, said while there was no mandatory reporting requirement for financial institutions to report lost data, “the bank seems to have reacted reasonably in this instance.” While he admitted that the loss was a concern, he said that the likelihood of fraud was “relatively remote.”
Graham Cluley, senior technology consultant for Sophos, said: “That's all very well - but this security lapse should never have happened in the first place. With proper checks and measures in place, it should have been possible to control access to the memory stick and ensure that any sensitive data copied to it remained encrypted.
“Sadly it seems the message about the need for greater care over the transport of sensitive data just isn't getting through to some businesses - or at least that workers cannot be trusted to follow security guidelines and policies.
“If you cannot enforce a policy across your workforce then there is the risk that your employees are putting the reputation of your company directly into the firing line.”
The loss follows a high profile statement by the Prime Minister, who claimed that ‘data loss is inevitable.'
Nick Garlick, managing director of Nebulas Solutions Group, said: “Brown's comment shows only too clearly how ignorant the Government is about technology and how little it has invested to protect sensitive and confidential information. The recent spate of security breaches is entirely preventable.
“Data loss prevention technology and encryption techniques are widely available to address exactly these kinds of situations. Combining these technologies with security policies, which set out what individuals and departments can and cannot do in relation to confidential data, would have prevented these situations.
“The Prime Minister's comment will result in a further loss of confidence in the Government's ability to protect any data. In light of this, Brown's comments are an open invitation to hackers, online criminals and organised crime to redouble their efforts to steal this data.”