Swift action vital to restore BoI's battered name
Related Articles
HEADS must roll following this appalling breach of security at Bank of Ireland.
The fact that it took Bank of Ireland up to nine months to inform the Data Protection Commissioner that private information on 10,000 customers had gone missing compounds the offence.
The bank can't say it wasn't aware of the dangers of private customer information falling into the wrong hands.
A fortnight ago, Britain's biggest bank, HSBC, announced that it had managed to lose sensitive customer information when a disc containing account details of 370,000 of its customers also got lost in the post.
Forewarned should have been forearmed.
Stolen
Not it seems if your name is Bank of Ireland. Not alone were four laptops containing information on 10,000 customers stolen, one of them from a bank branch, between June and October of last year, it seems as if this information was unencrypted. This means once they cracked the password, any Tom, Dick or Harry would have been able to access the information.
It gets worse. Despite the thefts having taken place up to nine months ago, the bank did not inform the Data Protection Commissioner until last Friday.
Bank of Ireland seems to have broken every rule in the book in its handling of this affair.
It seems to have had no system in place to ensure employees informed it immediately that the laptops had been stolen.
However, the mortal sin was undoubtedly Bank of Ireland's failure to secure the information by encrypting it. If the information had been encrypted, then it would have been impossible for anyone handling the stolen laptops to access the customer details. That the bank failed to take such basic precautions defies belief.
And what of its response to this debacle? When the story first broke last night, it issued a statement which raised as many questions as it answered.
According to the statement, "the thefts of the laptops were only brought to the attention of the appropriate authorities in the bank in the past number of weeks".
Does this mean that senior Bank of Ireland management were unaware of what had happened for between six and nine months? If this turns out to be the case, then it raises very serious questions about the quality of Bank of Ireland's internal controls.
Not good enough. Chief executive Brian Goggin needs to get a grip on this situation and quickly. The bank needs to contact the affected customers and offer them the option of changing their bank accounts, while those responsible for this mess should be fired without delay.
Only by doing so can Mr Goggin repair the damage this affair has done to Bank of Ireland's battered reputation.
- Simon O'Donovan
