Backup Anytime

Bank of Ireland stolen USB key

Subscribers and regular readers will recall the Bank Of Ireland stolen laptops story. Whatever preventative measures were put in place at the time appear to have had limited effect on protecting USB keys. The use of USB keys in itself is questionable practice outside of circumstances in which data in encrypted and the key is for convenience only and not a singular or critical copy.

Even small enterprises are moving away from the use of micro devices for unencrypted data. The affordability and convenience offered by USB keys did for a time make them a data storage solution for individuals. The extent and obviousness of the risks coupled with the scale of reported incidents have removed USB key usage from the allowed list of many responsible companies.

This particular incident relates to account numbers, names and addresses (not full address but if the wrong people have a name and a partial address they can surly work out the rest in many cases) for just under 900 clients. Financial information was not breached but this will offer little comfort to the victims (customers) of this breach.

The bank have said they have no reason to believe the information has fallen in to the wrong hands. Given that the device is lost, it could fall in to anyone’s hands. Additionally, given that USB keys have a physical value (despite this being nominal) it is likely therefore that it will not be ignored when spotted.

Given the absence of adamant and repeated claims of the data being encrypted it would appear it is possible that it was not. We do not know for sure yet. If it was not encrypted this will not instill great general confidence given previous incidents and opportunities to resolve the basic but essential tenet of encrypting confidential client and third party information. If it was encrypted, there is little to worry about from the viewpoint of data privacy and  the focus can move to asset protection.

So, the question remaining is; was the data encrypted. If so, Bank Of Ireland should speak up as they have protected their clients from inevitable circumstances as device loss or theft will take place even if security and individual responsibility is managed well.

If the data was not ensrypted, B.O.I. have much explaining to do this time round.

Bank of Ireland, (B.O.I.) have decided they will refrain from making public the details of the report into last years laptop theft. The report received yesterday is accepted without dispute and will be acted on.

The investigation by the data protection commissioner took four months and focused on the theft of four laptops from Bank of Ireland which were from the banks life assurance division.

You may alredy know from reports here and elsewhere at the time this breach became public that the laptops contained details specific to Life Assurance and included medical and credit history along with life assurance quotations. This breach involved some 10,000 people.

The Bank has claimed that encryption is now used on company laptops. There was shock at the time that an organisation of the size and resource level of Bank of Ireland were not using encryption for such sensitive data on laptops.

There are no reports of the information having been used for fraud. While it is possible that the laptops were stolen just for their hardware value, this offers no protection for those affected. While the bank announced a level of client contact on the basis of exposure, there is little detail given as to what exact steps can and have been taken to protect all those affected. The real problem here is that while account numbers can be changed, accurate personal information such as health records can not be amended as they relate to specific facts.