Regular readers of this blog will know that I have talked about data protection in previous blog posts.

• List of Irish email addresses made public.
• Stolen laptop contains account details for 75,000 Bord Gais customers.

There is an interesting article in the Irish Times today by Karlin Lillington titled "A treasure trove for hackers". The articles discusses research carried out by forensics experts from the Dublin office of Ernst & Young that shows companies maybe overlooking a source of potentially serious data leaks - employees who work at home. The article and the research relates directly to data protection and the findings also relate to online payments so I felt it deserved a Blog post.

The team from Ernst & Young purchased 8 hard drives on eBay Ireland from random individuals. Using forensic tools they were able to access the data on the hard drives, even data that had been erased. It is worth noting that only 3 of the 8 hard drives purchased had actually been erased!

The article gives details relating to two of the hard disks purchased. One disk was purchased for €5.79 and the other for €10.79. One of the disks was from "a brand-name online payments company" and the other from "a well-known Irish car dealership".

The online payments company disk contained the following: 

• Technical files relating to a popular bill payment solution
• PPS numbers of staff and customers
• Hundreds of customer bank account numbers and sort codes
• Hundreds of Laser card numbers and expiry dates
• Hundreds of credit card numbers and names
• Significant amount of e-mails detailing customer data
• Internal corporate information, staff details etc.

The car dealership disk contained the following:

• Bank account numbers
• Customer names and addresses
• Customer invoices and bank details
• Customer car registration information.

We have all seen the recent news stores about data breaches suffered by various high profile organisations. These cases all involved some kind of illegal activity i.e. stolen laptops or someone penetrating an organisations network. SecurityNinja blogged last year about some research he did into buying stolen data. He reported that one could easily buy stolen data on underground forums and IRC channels.

The Ernst & Young research highlights that people can easily and legally find sensitive personal information relating to individuals and organisations on the Internet for a small amount of money.

I was going to suggest that education is the solution. Maybe people do not realise that it is possible for someone to retrieve information that has been erased from a hard disk. I am not sure if this will help, I think people just do not care about data protection. Only 3 of the hard disks had been erased. The following is a quote from the eBay advert for the hard disk with the well-known Irish car dealership.

"Used to be in a Dell computer but I removed it. I didn't bother deleting the files off it but this can be easily done."

Once again this leads me to the same question, one which I do not know the answer to.

Has any organisation in Ireland ever been prosecuted for breach of the Data Protection Act? 

Dave

--

If you liked this article then you should subscribe to our Blog RSS feed.

Related Blog Posts:

• List of Irish email addresses made public.
• Stolen laptop contains account details for 75,000 Bord Gais customers.