By Sharon Lynch
April 26 2008
LOSING a laptop can be attributed to just plain bad luck, two can be put
down to carelessness, however, three and four would send anybody's alarm
But this was not the case at Bank of Ireland earlier this week when it
emerged that four laptops had been stolen from the institution's
investment arm between June and October of last year.
The bank said it was only told six weeks ago that three of its
unencrypted laptops were stolen from cars and another from the branch.
And when it emerged that the laptops had the personal data of 10,000
customers, which were only protected by a password system, a number of
questions were raised about the safety of customer information as well
as the regulation of security systems.
Owen O'Connor at Information Systems Security Association Ireland
described the bank's IT security procedure as a "very weak'' level of
protection. "If a laptop is unencrypted, a moderately skilled IT person
will be able to access all information on the files," he said.
The bank also admitted that it was the theft of personal data in the UK
in recent times that triggered it to review its own security operations.
Its head of retail operations, Richie Boucher, said it was felt at the
time that the password system formed perfectly adequate protection. He
added that the bank was now moving to encryption. However, security
standards have been available in the Irish market for the past number of
An international security standard called ISO 27001, which has been
recommended by the Government as a data protection standard, was
established three years ago.
ISO/IEC 27001 is part of a growing family of ISO/IEC standards, the
'ISO/IEC 27000 series' is an information security management system
(ISMS) standard published in October 2005 by the International
Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC).
In a nutshell, it is an information security management system standard,
which lists security control objectives and recommends a range of
specific security controls. Apart from setting best policies and basic
best practice for securing computer systems, the standard also deals
with the physical security of premises, screening and training of staff
and establishing a security structure.
None of the UK banks will deal with each other unless they have this
standard in place, according to Certification Europe, which provides
information, training, audit certification and inspection services in
information security management. Only 30 large organisations have signed
up to it Ireland, but no banks.
A spokesperson for Bank of Ireland said it was aware of the IS0 27001
standard and expects to align itself with it in the near future. In this
case, the IS0 27001 would require someone to justify why the encryption
was not implemented in the BoI laptops in the first place.
Michael Brophy from Certification Europe said they have been
"frustrated" this week because the laptop debate centred on whether or
not the appropriate security was in place. "For three years, there has
been an international standard that sets out what is best practice when
it comes to information security," he said. "
"The whole debate about whether something is appropriate security or not
is redundant. The question now is why organisations like Bank of Ireland
don't have this standard," Mr Brophy said.
The business reason as to why the personal account information on 10,000
people needed to be regularly stored in laptops is questionable, he
"Even if there was a valid business reason for putting that volume of
sensitive data on something as insecure as a laptop, primary
consideration would have to be technology controls like encryption to
safeguard the sensitive information on it," he said.
Not one financial institution in Ireland has achieved the ISO 27001
standard with the sole exception of Waterford Credit Union, which only
got its certification last month.
"If Waterford Credit Union can put in the resources and the time to get
it, why aren't the major retailers on the street achieving it?" he said.
Mr Brophy added that similar data theft has occurred at other companies,
but this has not been publicised due to the smaller profile of these
"It simply comes down to the fact that they're not operating to best
practice,'' he said.
"They are not achieving simple international security standards.
"Maybe three or four years ago you could have had the excuse that they
were not aware of it or did not know about it. Anybody worth their salt,
who deals with IT, would know about this standard.''
Subscribe to the InfoSec News RSS Feed