It’s not great when any organisation loses a laptop, but if the contents of the computer’s hard drive have been fully encrypted and a strong password has been used it’s hardly the end of the world. After all, the chances of a criminal being able to access any sensitive information on the mislaid or stolen device is remote – and the cost should be limited to the purchase of a replacement.

But things are much worse if the lost laptop wasn’t encrypted, and contained the personal details of thousands of your customers.

That’s what Irish telecoms operator Eir had admitted happened to it earlier this month, blaming a “faulty security update” for leaving unencrypted a staff member’s laptop which was stolen outside of one of its offices.

“Eir treats privacy and protection of all data extremely seriously and our policy is that all company laptops should be encrypted as well as a password protected. In this case the laptop had been decrypted by a faulty security update the previous working day, which had affected a subset of our laptops and was subsequently resolved.”

I must admit that I find it somewhat hard to comprehend how a borked security update would leave a hard drive unencrypted (unless that security update was actually pushed out to encrypt a laptop’s drive in the first place, and failed), but even if that explanation is accepted one has to wonder what on earth a computer containing the personal details of 37,000 users was doing outside of Eir’s premises. It’s hard to imagine any scenario when it would be necessary to store such data on a laptop, rather than holding it on a secure server.

The storage of sensitive personal information about customers should always be on a central server, which can be protected with (Read more...)