O2 And IBM Under Fire For Irish Data Breach Gaffe

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Tech giants criticised for not coming out sooner on 2011 tape loss

O2 has warned customers some of their information may be lost, after IBM misplaced a back-up tape, but both are facing questions over how long they took to disclose the data breach.

The tape was lost back in September 2011 and remains unaccounted for. O2 was only informed by IBM this summer, but no date was specified.

O2 said it was possible the back up tape “could contain some personal data” but “it is more likely that it simply contained information about O2′s normal business affairs and company information”. It said there was a “low risk to customer data privacy”.

The case will still not reflect well on O2, given customers are already concerned about its data handling practices. A TechWeekEurope Freedom of Information request revealed earlier this year that the Information Commissioner’s Office had received more data breach complaints on O2 than on any other organisation.

Data breach blooper

“We are not aware of any incident since the tape was misplaced whereby data that might have been on the tape was accessed or used,” O2 said.

Yet the data was not encrypted – something data privacy watchdogs do not take lightly. O2 said, however, that the “data on the tape is in a format that is not accessible to someone trying to access it and requires specialist technology to extract any readable information from it”.

O2 even believes the disk is actually still in an O2 building, but the telecoms firm can’t find it.

The operator has informed the Irish Data Protection Commissioner and is working on an investigation into the nature of the breach.

Despite its moves, Irish onlookers were baffled about the apparent lack of immediate disclosure from the two tech giants.

“Why does O2 not know what was on the tape? Most backup systems have a logfile or record of what data was backed up.  It seems strange to me that there is no record as to what data was, and was not, backed up onto the tape,” said Brian Honan, founder of the Irish Reporting and Information Security Service, Ireland’s first CERT (Computer Emergency Response Team), in a blog post.

“Why was the tape not encrypted? Copying data onto a tape means at some stage that data can be read back from the tape. This means anyone with the same type of tape drive and software can restore the data.

“If that data is not encrypted then anyone with that equipment can restore and read the data. If the data is encrypted then even restoring it from tape makes it inaccessible to those without the proper access.”

An O2 spokesperson told TechWeekEurope that “obviously we aren’t happy with it”, but wouldn’t be drawn into discussing its future relationship with IBM.

As for the time it took them to confess to the breach, the spokesperson said it spent the last few months “exhaustively trying to establish what was on the tape”, to determine what data went missing, before it opened up.

IBM had not responded to a request for comment at the time of publication.

Are you a security expert? Find out with our quiz!