Lured by the Gas Board’s offer of saving money on inflated electricity bills, we signed up for their ‘Big Switch’, unaware at how incompetent the organisation could be. A letter, one of 75,000 delivered across the country, came this morning:
As you may be aware, four laptops were stolen from Bord Gais Energy on Friday, 5th June 2009. One of the stolen laptops contained information including name, address and bank account details of 75,000 electricity customers. Unfortunately, and outside established company procedures, this laptop, while well secured, was not encrypted and as a result of the theft this customer information was taken out of the controlled company environment and was therefore put at risk. Your name, address, bank account number and sort code were on the stolen laptop.
Bord Gais Energy unreservedly apologises to you for the lapse in our data security procedures. When the theft was discovered the Gardai were immediately informed as well as the Data Protection Commissioner. Subsequently, Bord Gais Energy engaged international risk management experts and contacted all of the relevant banks and the Irish Banking Federation. Based on the advice of the Gardai and the company’s own security and risk analysis, it was judged that publicising the theft immediately would risk hampering the Garda investigation. We alerted the media on Wednesday, 17th June 2009.
Data security and data and laptop encryption is a major priority for us. Our own rigorous encryption programme commenced last July. It is now fully complete and we can assure you today that our systems are now fully secure.
At this point the expert security advice is that the risk of the data being misused is low – but any risk is unacceptable. Bord Gais Energy has alerted all of the banks of all of the affected account numbers, but we advise you to check your account for any suspicious activity.
The prospect of any satisfactory answer from a public monopoly is so remote as to make the effort pointless, but questions do arise.
Why was the information on someone’s laptop? Why would someone need to take the details of 75,000 bank accounts out of their office? How were these details put onto a laptop that was clearly not carrying the established company software?
What on earth is an “international risk management expert”? The information is in the hands of criminals; any risk arising comes from those criminals; risk expert or risk novice, you cannot manage criminals. If you could manage crime, the Garda budget could be slashed.
What exactly did the Gardai do in pursuit of the criminals? How were they to know whether the bank account details had been used if no-one had been warned? Why did it take twelve days for them to admit the investigation had been fruitless?
Bord Gais did indeed alert the media on 17th June; it might have been courteous to have alerted those affected at the same time. Instead, a letter dated last Friday was sent out and arrived this morning. What is the greater concern protecting customers, or guarding the image of Bord Gais?
Having online banking, it is easy to monitor for irregular transactions. But what about many older people, or people of limited means, who do not have access to the Internet and who are now left to worry?
Why do Irish people always put up with poor public service?