Tuesday 20 August 2019

Staff off the hook for laptop security blunders

Shane Phelan and Michael Brennan

STAFF at the State spending watchdog who failed to inform authorities that laptops stolen from them contained sensitive information about up to 400,000 people are to escape disciplinary action.

The Office of the Comptroller and Auditor General (OCAG) last night confirmed the staff will not face any sanction despite not displaying the "common sense" to report the nature of the material contained on three laptops stolen over the past three years.

OCAG admitted the unencrypted laptops -- among 16 stolen from their officials since 1999 -- contained highly sensitive information, including PPS numbers, bank account details and social welfare payment details.

While the staff involved reported the theft of the laptops to their superiors and the gardai, the extent on the information contained in them was not reported and only became apparent in recent weeks when OCAG conducted a review.

An OCAG spokesman described the massive oversight as "a procedural flaw" and said no disciplinary action would be taken as there had been no procedures in place at the time for the reporting of the theft of sensitive information.

One of the laptops, stolen after being left overnight in the Department of Social and Family Affairs during an audit, contained the personal details of 380,000 social welfare recipients, including the bank account details of over 100,000 people. Payroll information for seven public bodies was also on two other stolen laptops.

Hacker

None of the information was encrypted. It was protected only by a password that a knowledgeable hacker would have little difficulty circumventing.

Although the laptop containing the social welfare information was stolen in April, Social and Family Affairs Minister Mary Hanafin said her office had only been notified last week about the nature of the information involved.

"I am extremely concerned that this theft of information could cause anxiety to our customers, particularly our pensioners," said Ms Hanafin.

"I am also very concerned that we were not made aware of the nature and extent of the loss at the time of the theft."

Data Protection Commissioner Billy Hawkes launched an investigation last night and described the theft as "a serious incident".

Stolen

He also expressed concern about the "potential implications" for those affected if their information fell into the wrong hands. The other two laptops were stolen in March 2005 and May of this year.

OCAG said the laptop stolen in March 2005 was taken from an auditor while they were "in transit". Information from one public body was on the laptop.

The laptop stolen last May was taken from a bus stop. It previously emerged the PPS numbers and payment details of hundreds of staff at the Department of Enterprise, Trade and Employment were on the laptop, as well as information about IDA grants to a number of companies.

However, OCAG yesterday confirmed to the Irish Independent that this laptop also contained PPS numbers and banking details for staff in six other public bodies. A spokesman said the numbers could run into the thousands.

Ms Hanafin said data on the laptop stolen from her department related mostly to the records of pensioners receiving benefits in 2005.

Data also related to payments made to single parents, widows, orphans and carers, as well as bereavement grant and invalidity pension recipients.

The department said it would be writing to everyone affected and had also set up a helpline -- telephone number 1800 690 590 -- for the public to ring.

OCAG said steps were being taken to reduce the risk of sensitive information being stolen again, including the rolling out of encryption systems in the coming weeks.

Fine Gael justice spokesman Charlie Flanagan said the debacle showed the Government could not be trusted with personal data.

Age Action said it was concerned about the theft of the social welfare information.

Editor's Choice

Also in Irish News