Meteor and eMobile guilty of data breach after sensitive information on thousands of customers stolen
MOBILE phone operators eMobile and Meteor have admitted breaking data protection laws following the theft of two laptops that contained sensitive personal information about thousands of customers.
The companies, both subsidiaries of Eircom, will donate €30,000 to charity to avoid a conviction after being prosecuted due to an investigation by the office of the Data Protection Commissioner after the loss of two laptops, which contained personal information on more than 10,000 customers.
The computers were stolen on a date between December, 28, 2011 and January 2, 2012, from Eircom's premises at Parkwest in Dublin.
The theft was not discovered until January 3 and was reported to gardai but the data protection watchdog was not informed for about a month.
The information on the laptops included passport and driving licence details, financial statements and bank card details.
Meteor and eMobile pleaded guilty at Dublin District Court today to three charges under the Data Protection Act.
Assistant Data Protection Commissioner Tony Delaney gave evidence and the court heard that both companies accepted that there had been a delay in telling the Data Protection Commissioner as well as the customers involved and that the data on the laptops had not been properly encrypted.
The court heard it took about 30 days before it was reported to Data Protection Commissioner.
It took from six weeks to two months before customers learned about what happened to laptops containing personal and financial information about them.
Judge John O'Neill said both mobile phone operators had not followed data protection regulations but noted that they had pleaded guilty.
He said he would apply the Probation Offenders Act sparing the companies criminal convictions for the data breaches. However he stipulated that before he makes that order they must donate €15,000 to children's charity the Laura Lynn Foundation and €15,000 to the Pieta House suicide awareness centre, within four weeks. The case was adjourned.
Deputy Data Protection Commissioner Gary Davis told reporters after the hearing that the watchdog was happy with the outcome of the case. “Eircom have come in and admitted that they should have encrypted laptops, should have informed our office quicker and that they should have informed the affected individuals.
“The judge was actually quite damning of them for not taking the basic step of informing our office straight away.”
“From our perspective it sends a strong message to all people controlling sensitive personal information in relation to citizens and customers to take basic security measures to protect them,” he added.
Mr Davis also said that the law in this area is developing and changes may be introduced where fines for data protection breaches could reach as much as €1m.