A STAFF member at Bord Gáis who downloaded personal data on more than 93,000 customers to a laptop that was subsequently stolen had specific responsibility for ensuring the protection of data, a report has found.
A report on the investigation by the Office of the Data Protection Commissioner (ODPC) into the theft of four laptops from Bord Gáis’s office on Foley Street in Dublin on June 5th was published yesterday.
One of the computers was not encrypted. It was initially believed to contain the banking details of about 75,000 people, but during the investigation it emerged the details of 93,857 customers had been compromised.
The machine contained details such as bank account numbers, home addresses and branch details of people who had switched their electricity supply from the ESB as part of Bord Gáis’s “big switch” campaign.
Fourteen people made complaints to the ODPC in relation to the theft of their data, although no individual was found to have suffered a financial loss as a result.
The ODPC found Bord Gáis had breached its responsibilities under the Data Protection Acts on a number of counts, including that it failed to put in place an appropriate level of security on the stolen computer and that it retained personal data on the machine in question for longer than was justifiable.
The ODPC acknowledged, however, that Bord Gáis had “from a relatively low base” dramatically improved its focus on data protection over the previous 12 months.
“Accordingly, while the loss of a laptop with such a substantial amount of personal data contained on it breached a number of the provisions of the Data Protection Acts, it was not representative of the generally serious and committed approach to data protection that ODPC is satisfied is now in place in Bord Gáis Éireann.”
Director of investigations for the ODPC Gary Davis said he believed the report demonstrated there were “issues that needed to be addressed in Bord Gáis”.
“The report itself should be read by all organisations and should serve as a reminder to them of what can happen where data protection standards are not at an appropriate level.”
Bord Gáis managing director David Bunworth, in a written response to the ODPC, said the company had taken a number of steps to protect data, including the encryption of all laptops.
Staff will also be given mandatory training on their responsibilities and obligations in handling data as well as training on laptop and mobile device security.
“Please be assured that Bord Gáis Energy has taken the report and its recommendations very seriously and will ensure that there will be no recurrence of the issues that emerged following the theft of the laptops from Bord Gáis Energy premises,” Mr Bunworth said.