Statement by Data Protection Commission in relation to Eir breach notification

22nd August 2018

On the 10th August 2018, the Data Protection Commission (DPC) was notified by Eir of a potential data vulnerability involving approximately 1500 of their laptops, which arose as a result of an incorrect configuration. This vulnerability had resulted in standard encryption being removed from these laptops. The DPC was later notified that one laptop had been stolen. The type of personal data involved is the name, email, mobile and account numbers of some 36,642 Eir Customers, as well as name and contact details of 177 Eir employees.

 Eir has continued to update the Commission on this incident, and the remedial action being taken. As of yesterday Eir reported that out of the 1,484 laptops impacted, 1,438 laptops have been re-encrypted, a further 25 are re-encrypting or awaiting re-encryption and 21 remain unencrypted. Eir also confirmed that it will be contacting the persons affected by the theft. The DPC continues to closely monitor this situation.

This incident underlines the concerns previously expressed by the DPC in respect of the technical and structural security measures being employed by organisations who process personal data, and the need for stringent safety measures to be central to the business model of any entity which processes personal data.