The personal information, including account numbers, phone numbers and addresses, was copied onto the USB device in contravention of the bank's policies and procedures.
The Bank for Ireland has a history of allowing private customer information to escape. Earlier this year, the bank lost data on 10,000 customers when four laptops were stolen. Perhaps unsurprisingly, that data was also not encrypted:
The computers - which contained data on customers who had obtained a quote or purchased a life assurance policy from seven BoI branches in the Republic of Ireland - were stolen between June and October last year....
THE PROJECT FAILURES ANALYSIS
Many organizations, including Bank of Ireland, do not handle confidential customer data with a sufficient level of care. The problem continues because practical IT reality makes formal security policies difficult to enforce.
For example, consider this likely scenario: an IT worker intends a quick data transfer from one computer to another using a standard USB flash drive. Along the way, he buys coffee and unintentionally leaves the unencrypted memory stick on the counter, creating a data breach and violating numerous corporate policies and government regulations.
I asked Ken Citarella, Principal of Internal Corporate Security Solutions, a private investigations firm based in White Plains, NY, for his thoughts. Ken is a retired prosecutor with 27 years experience fighting white collar and computer crime:
No written policy can overcome human error unless people are vigilant about their ordinary behavior. Employees will not follow security procedures unless management enforces those policies rigorously. On-going training, communication, and management commitment are critical to preventing data breaches. Failing these steps, data losses will continue.
My take. This problem won't be solved without stringent government regulation, including stiff penalties and jail time for severe offenders. Here's a simple way for large organizations to reduce the problem: immediately terminate employees who violate data protection policies. If you think that's overly Draconian, speak with an identity theft victim.