The Bank of Ireland has lost four laptops containing sensitive customer details of approximately 10,000 people.
The laptops were not encrypted, according to a Bank of Ireland spokesperson. Customer details lost include bank accounts, names, addresses and medical details. The laptops only had standard username and password logins by way of security, according to the spokesperson.
Customers affected are those who took out or obtained a quote for a life-insurance policy from Bank of Ireland Life from branches in Drogheda; Dunleer; Bagnelstown; Court Place, Carlow; Stephen's Green; Tallaght; and Montrose last year, according to a statement on the Bank of Ireland website.
The four laptops were all stolen between June and October last year. Three were stolen from the boots of cars, said the spokesperson. The Bank of Ireland is only now starting to inform customers by letter as to whether they may have been affected.
According to the spokesperson, the thefts were reported to the Garda at the time but not to senior management.
"The issue arose in February of this year as part of routine compliance monitoring. That was when the issue came to light, at which time, a full investigation began; we had to do a full investigation [before informing customers]. We will be writing to customers in the next number of days," said the spokesperson.
Jason Hart, European chief executive of encryption company CryptoCard, told ZDNet.co.uk that, as well as customer details being compromised, the laptops themselves could hypothetically have been used in an attack through virtual private network (VPN) clients.
"You have unencrypted laptops being lost and they all have VPN clients into the business — that's a bigger risk," said Hart. "You can crack usernames and passwords easily, and usernames and passwords are [usually] the same to access other systems."
The Bank of Ireland spokesperson said there had been no unauthorised attempts to log into the bank's systems, and added that the bank had seen "no evidence of fraudulent activity" on any of the affected customers' accounts.
The spokesperson declined to comment as to whether the bank had changed its VPN clients as a result of the laptop losses but said that it was in the process of implementing encryption on all of its laptops, and that the encryption process would be completed "by the end of the week".
Ireland's data-protection commissioner, Billy Hawkes, has been informed, as well as other regulators, added the spokesperson.