Budget Travel and the missing USB stick
Posted by Maman Poulet on 17 Feb 2010 at 10:18 pm | Tagged as: Uncategorized
When Budget Travel went into liquidation last year, the official liquidator contacted the email database and told us that they were going to sell the database to an interested bidder. An opt out was given to subscribers.
I didn’t do anything about it personally- was surprised by the contact but given the tough times in travel industry I could understand that the email database of Budget customers could be worth something in paying off the debts of the company.
Tonight the liquidator emailed the database with news. None of it any good in terms of data protection. Nobody heard of encryption??
Dear Customer,
I contacted you before Christmas to inform you that Budget Travel Limited’s business had been put in liquidation, but that a number of parties were interested in purchasing Budget’s business. I told you then that your personal data held on a subscriber database would be disclosed to the purchaser as part of this process in order to ensure continuity of service to you as a valued Budget customer.
This purchase is now nearing completion and it is intended that the purchaser, Club Travel Limited, will complete its purchase of Budget’s business over the next few weeks. The information to be provided to Club Travel comprises your name and email and may also include your contact phone number and postal address (if you provided these details to Budget). The database also contains internal Budget codes representing customers’ age group, gender and travel preferences, but not all customers provided this information, so Budget may not necessarily store this encoded information about you.
The information stored therefore comprises very basic information which Budget used to provide quality travel services to you, some of which is encoded. In many cases Budget only stores your email and name. No other information relating to you is held on the database, for example, no financial information such as bank details or credit card details is stored on the database.
In preparation for completion of the purchase of Budget’s business, the subscriber database containing your information was placed on a portable USB stick, which was stored at Budget’s Dublin headquarters. This USB stick was stolen as part of a theft in the last fortnight. An Garda Siochana are investigating the matter and the perpetrators of the theft have been identified, but the USB stick has not yet been recovered. The theft appears to have been opportunistic with no specific intent to take customer data and it is important to emphasise that the information on the database is very basic data, which in some cases could be obtained elsewhere (in a telephone directory for example). Without the Budget Travel codes, it is unlikely that those who stole the USB stick will be able to decipher and read the encoded data.
As is best practice and as recommended by the Office of the Data Protection Commissioner, I am notifying you about the security breach and can reassure you that stringent measures have been put in place to prevent any breach like this occurring in the future.
Kind regards,
Simon Coyle
Official Liquidator
Budget Travel Limited (In Liquidation)
Social comments and analytics for this post…
This post was mentioned on Twitter by darraghdoyle: RT @suzybie: The entire email database of Budget Travel was for sale, put on a USB stick and was stolen http://bit.ly/d5aaqi...
Holy shit. They join a long list – anyone remember the Bord Gais stolen laptop saga? My details were on that. Don’t think Budget had them, but who knows?
The orginal email to subscribers last december
I’m horrified at the lack of professional competence. The notion that all that data was left on a stick, not placed in a locked safe, is almost beyond belief.
No amount of reassurance that the data wasn’t critical would impress me. Simon Coyle, Official Liquidator, will I hope have to justify why he should be regarded as a fit and competent person to have charge of any future liquidations – or any other valuable assets for that matter.
Is there a professional association of liquidators that will investigate this laxity? Luck ensured the theft was not more serious it seems.
I am still recovering from the shock of reading the letter.
Maybe George Clooney nicked it and is on the way to you now with a coffee machine.
Joking aside, what the hell is a DB doing lurching around an office on a UBS stick. jesus christ. I hope the person who has it ransoms it for a holiday in Jamaica or a free question to Gillian Bowler. “Why are you still in your job?”
As someone said to me recently about the Mike Soden / pron work computer affair: there’s a lot of angry and recently unemployed IT staff about these days.
I have to say I think people are a little over sensitive to these incidents. There tends to be a lot of high and mighty finger wagging at something which can happen too easily.
Picture the scene: Someone transfers the database onto a USB in order to take it home, clean it up, delete duplicated names and blank columns while he watches Frontline and drinking a cup of cha. But before he leaves of the office, he nips into the jacks for a quick wee, leaving his laptop with USB still copying lying on his desk. In five seconds flat, a bloke walks into the office an takes three laptops and a mobile or two.
We’re not robots.
How about a situation say where commercially sensitive and lucrative information is nicked by someone near the organisation who knows that it can be used elsewhere?
Data like this should never be taken home!
Saw you got mentioned on Irishtimes.com and a link back to your post – The paper of record no less!
MP, Perhaps information like that should never be removed from a server but in high pressure working environments and tight deadlines, people just don’t have the time to tick all the boxes. And if they do, they’re considered difficult. The Irish ‘ah sure it’ll be grand’ attitude.
I get it all the time in my line of work. You try to do things properly but people just don’t care.