Irish Data Protection Commissioner Billy Hawkes has called the loss of Eircom's laptops "one of the most serious breaches" his office has seen.
Speaking to the RTE radio station in Ireland, Hawkes said the nature of the data, the long delay in telling people about it being compromised and the fact that it involved a communications company, which is subject to more stringent security standards, made the case particularly serious.
Eircom said there was a reporting delay while it tried to find out what had been breached, but Hawkes said this was not acceptable as "24 to 48 hours is our guideline for reports of such incidents, so it is very surprising to hear that reason being given".
According to a statement, the details of 6,845 customers and 686 employees of Eircom's eMobile and Meteor firms were contained on the three stolen laptops, along with the bank account or credit card details of 550 customers.
Two of the laptops, which was unencrypted, were stolen from offices in Dublin in December, while a third laptop was stolen from the home of an employee. Eircom said the incidents were immediately reported to the police, and two separate investigations were ongoing; it also said there was no evidence that the data at risk has been used by a third party.
It said: “Eircom treats privacy and protection of all data extremely seriously and we have taken the following pro-active measures to address the situation. As a precautionary step, we have contacted the Irish Banking Federation, who has notified their members of the potential risk to data for affected eMobile and Meteor customers.
“A review of the group's encryption policy is under way to ensure all computers and laptops are compliant with the group's encryption policy.”
Speaking to the Irish Independent, Eircom head of communications Paul Bradley said: “The personal data at risk includes details such as an applicant's name, address and telephone numbers, as well as a range of documentation used to support a customer application such as passport and driver's licence details, various photo IDs or utility bills, which all may have been used to establish proof of identity.
“In some cases financial data such as bank account or credit card details is also at risk.”
Hawkes said: “Encryption of laptops, where you do permit personal data to be stored on them, is bog-standard security and it is extremely surprising that in two separate incidents, Eircom's laptops were not encrypted.”
Stephen Midgley, global vice-president at Absolute Software, said: “It's clear that, as laptops and other mobile devices increasingly become essential work devices, maintaining security of customer and company data is becoming ever more challenging.
“When managing personal and financial details companies need to have greater safeguards in place to protect customers from the risks of loss and theft inherent in mobile devices. Consumers will increasingly seek greater assurances from businesses about the protection of their data so it's crucial that firms make changes before irreparably ruining trust.”
Midgley said that the key to security is robust data management and document security. “As device proliferation increases, the ability to push and pull data from employee devices to ensure that crucial financial information and personal data isn't simply saved to a device or emailed out, will become vastly more important,” he said.