Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Laptop Theft Exposes 243k Credit Cards

By Ed Oswald, BetaNews

June 2, 2006, 1:47 PM

The theft of a laptop out of an Ernst & Young employee's car has turned into a massive data breach affecting hundreds of thousands of users of the travel-booking site Hotels.com. Altogether, the names and credit card data of some 243,000 customers have been compromised.

Ernst & Young is the auditor for Hotels.com, thus the company said the employee was within his rights to have possession of the data. Although it believes the incident was merely a car theft, the company is taking steps to prevent future thefts from occurring.

The data was password-protected, but not encrypted. A spokesperson for the company says that as of Wednesday, that policy will change. All computers will now come with encryption software, and sensitive data would be encrypted as well as password protected.

No evidence of identity theft has appeared as a result of the theft. Ernst & Young is also working with Hotels.com to inform those whose personal data was included in the file.

News reports indicate that this is not the first time the accounting firm had lost laptops filled with data. A February article in The Register UK reported that Ernst and Young had lost a laptop with the personal data of employees from Sun Microsystems, Cisco Systems, BP (formerly British Petroleum), and IBM. The firm only disclosed the loss after it was queried on the issue by a Register reporter.

It was rumored that the data even included the social security number of former Sun CEO Scott McNealy, although the firm would not confirm the report.

Add a Comment (29 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By Silentmaster101

posted Jun 5, 2006 - 11:15 AM

that jackass should be fired and fined and then made to work community service for the rest of his life. and then E&Y should have to pay 5000 to every customer who has had their info exposed, then they should be shut down for negligence. when you are dealing with possibly ruining 250,000 peoples lives you should be held accountable to the extreme.

Score: 0

By ZenWarrior

posted Jun 5, 2006 - 9:37 AM

Yes, as noted by someone below, this is getting to be ridiculous with something new every week now. The medical profession has pretty well addressed such issues. For example, patient data cannot be taken home physicians. It is now time for such policy to be made no less than state law in all states, if not even federal to cover all bases, and across all industries.

I, for one, will be writing my Congress/wo/men telling them to stop wasting time with things that do not matter (e.g., cavity searches of 80 year-old grandmothers) and only satisfy their imbecilic perceptions of "danger," but instead start addressing now very commonplace 21st century problems. For Congress to do any less should let all voters know we have elected Luddite simpletons who cannot tell the difference between a laptop and a typewriter.

And I also agree that consumers should very much have a right to sue under when such occurs. Let's face it--that may well be the only way to get the message across.

RJIP is right about the simplistic thinking of "password protected only" data. Where has one of the world's largest accounting firms been the last 25 years? Did they just crawl out from under a rock to see new-fangled gadgets called computer around everywhere?

I do wish I were a lawyer. I would have no problem with some test cases and class action lawsuits. IDT overbills me a few dollars and suddenly I am due $25 from a class action lawsuit. Conversely, my identity and money are [easily and potentially] stolen each week and I am in essence told nothing is due to me. What's wrong with that picture?

Score: 0

By Bazza_ch

edited Jun 4, 2006 - 4:05 AM

The employee may have had the right to the Hotel.com's data; however, those whose credit card details have been compromised have rights as well. In spite of Hotel.com's disclaimer on their US website: "it may be necessary for us to provide customer information to third parties, such as credit card companies, for the purpose of resolving disputes that arise in the normal course of business"; it does not appear that this applies here. Also such disclaimers in jurisdictions outside the US such as the EU often have no force, i.e. one does sign away one's rights.
At the very least someone should be offering to help customers replace their credit cards to avoid possible fraudulent activity. Those who details have been used fraudulently, should perhaps be looking to a possible class action law suit.
Unfortunately, judging by the comments posted previously, as ever, the only way to make those in positions of responsibility sit up and take notice to is to hit them where it hurts.

Score: 0

By PostDeals

posted Jun 3, 2006 - 11:05 PM

Great, I use Hotels.com often and have my credit card and information saved on file. There goes another thing I have to worry about, heck we all may just start over with a clean state, new name, ssn etc.

WE SHOULD BE ABLE TO SUE THESE COMPANIES FOR NEGLIGENCE.

Score: 0

By ds0934

posted Jun 3, 2006 - 6:12 PM

AGAIN???? This is getting to be a weekly event. Does anyone care about this? I guess I shouldn't care, nobody else seems to. At least, nobody in government or law enforcement. I don't see any news about these idiots/thieves getting jail time. Let's all just write our SSN's on our foreheads and be done with it.

Score: 0

By pyridox

edited Jun 3, 2006 - 3:39 PM

Great, 243,000 persons credit card & personal data sits on the front seat of someone's car, un-encrypted! Ernst & Young said the guy was within his rights, but those 243K people just who had their underware drawers exposed were not I guess?

And it took this incedent for them to start using data encryption. Only because Sun's McNeally, and probobly other high profile person's data were exposed is the only reason. Data encryption may not be 100% safe, but it's a hell of a lot better than none.

The whole lot should be tossed out on their negligent arses (that's where their brains are)!

Score: 0

By xyzcb1

posted Jun 3, 2006 - 1:17 PM

I did a quick search on freezing your credit files. Only about 11 states allow you to freeze your credit file, and most of you CANNOT freeze it until you got victimize. GREAT, YOU CAN ONLY FREEZE IT AFTER YOU GOT VICTIMIZE.

Score: 0

By PostDeals

posted Jun 3, 2006 - 11:07 PM

Which state allows you to freeze it please post links.

Score: 0

By fewt

edited Jun 3, 2006 - 9:49 AM

Ernst and Young did NOT have the right to have this data. Giving up this data to them should be one of the audit controls the company failed on for not sanitizing the data!

Score: 0

By joeace1

posted Jun 3, 2006 - 4:22 AM

Isnt that a tad late?? Why in the hech an accountant would need most of that data. Why would they put that on a laptop that can be stolen. Companies would be more likely to use encryption if they had to pay all the charges of the stolen credit cards.

Score: 0

By smpita

posted Jun 2, 2006 - 11:41 PM

Here's an idea... Keep all sensitive data (SSNs, Account numbers, etc) on a physically secured central server. Encrypt the files and give access through a network share. If they need to access at home or on the road?That's why we have telnet, termserv, etc. I can't see any viable reason why an employee would be allowed to have this information locally stored on a mobile computer. What's to stop the employee from leaking anyways? IMHO, the admin should be fired, then cained.

Score: 0

By PostDeals

posted Jun 3, 2006 - 11:08 PM

Haven't they heard of remote access? ( www.logmein.com ) or ( www.gotomypc.com ). E&Y I will never use you even if I had money that needed counted, you are too stupid.

Score: 0

By rijp

posted Jun 2, 2006 - 6:38 PM

*The data was password-protected, but not encrypted. A spokesperson for the company says that as of Wednesday, that policy will change. All computers will now come with encryption software, and sensitive data would be encrypted as well as password protected.*

As a reminder to everyone here, password protecting your stuff is only as good as the boot screen.

I can remove a hard drive, attach it to another computer, and STILL access your data. So if you have anything you want to keep private, encyrpt it. Just FYI.

Score: 0

By ds0934

posted Jun 3, 2006 - 6:15 PM

I agree with smpita: data like this should NEVER be allowed to be copied/moved to a mobile device of any kind. There's no reason for it.

Score: 0

By Altman

posted Jun 2, 2006 - 6:00 PM

I'm torn between knowing how stupid companies are and coming public with these stories. If the guy who stole the car had no idea what was on the laptop he got, we probably wouldn't have a problem. Instead let's just blast it out to the whole world so that the guy knows what is on the laptop and while we're at it lets go and tell him that the data isn't encrypted. The only thing we haven't told him yet is what the password is to get into the data.

Score: 0

By rijp

posted Jun 2, 2006 - 6:36 PM

This has happened before, some guy sold a car, or broke into a house.. something like that, stole some government contracts or something. He held it for ransom, after he discovered he had something more valuable..

The agreed to a swap.. I can't remember what the details were, but he eventually got caught..

So instead of just breaking an entering, he got extortion and appropriation of secret goverment documents (something like that) added to his list of other charges...

Score: 0

By GCoder

posted Jun 2, 2006 - 3:22 PM

good job ace...

leave a company laptop in a car..

ssssssmmmmmmmmmaaaaaaaaaarrrrrrrrtttttttttt

Score: 0

By rijp

posted Jun 2, 2006 - 5:03 PM

Sounds like something you would do...doesn't it?

Score: 0

By tubaman

edited Jun 2, 2006 - 3:15 PM

Why wouldn't they be encrypted already? And why does one person have so many card numbers on their laptop? And how do they know that the card numbers were stolen also? The person that stole the laptop may have no idea that they are on it, unless the file is obvious. But yeah, stupid companies...

Score: 0

By chris7uk

edited Jun 2, 2006 - 3:16 PM

Such a big company and things like this keep happening,
Why is it only when such happenings take place and the answer is it wont happen again as we will do this.....,
Surely if Laptops e.t.c are containing sensitive information why are they not encrypted and locked down to start with,
It's as good as handing it to thieves on a plate,
This is the 21st Century and this shouldnt be happening maybe other companies should take note as if this is happening customers and clients are not safe as whom do you trust in situation like this,
The fact that they say it wont happen again.

I do hope this type of thing comes to an end.

Score: 0

By rijp

edited Jun 2, 2006 - 6:31 PM

its doesn't KEEP happening, you only hear about those careless few that make the news.. that makes it SEEM like an epidemic, when its not.

As far as locked down, and encrypted, that's another story. I tried to encrypt our drives, and got flak. For one thing, if you forget your password, there isn't ANYTHING anyone can do about it. Your data, is GONE. The really crazy part is, people forget their passwords, FREQUENTLY. So if the machine is part of a domain, and its encrypted, its easy to get recovered, if however, they encyrpt data that's ONLY a part of a profile, or a certain USER name, NOW you have a BIG problem.

I agree, SOMETHING needs to be done to protect the data, but users are whiners, they want things easy.. more difficult for thieves, also more difficult for the users and keepers of the data. I say, so what, how much is it worth to protect COMPANY data?

Our CFO/CIO vetoed the issue, and basically told me that was the end of it. I was like, fine, but when something like this happens to one of our laptops.. I don't want to hear a word about it. Not one word.

Score: 0

By ZenWarrior

posted Jun 5, 2006 - 9:41 AM

Remember, many cases never make the news because disclosure would be "bad for business." My guess is it is an epidemic, but we (consumers) just aren't informed of its full extent.

Score: 0

By PC_Tool

posted Jun 2, 2006 - 3:21 PM

A Wake up call is whats needed.

I'll respond to that with your very own words:

Why is it only changes are made when things go wrong,

Why is a wake up call needed? In this day and age, any decent network administrator should be focused 100% on security and privacy.

Consider the fact that nowadays, a slip on either could spell business destroying lawsuits.

Score: 0

By rijp

posted Jun 2, 2006 - 6:33 PM

*any decent network administrator should be focused 100% on security and privacy.

- SHOULD - bold, caps, underline, and highlighted in yellow.

Realistically, they are "too busy" to care.

Score: 0

By PC_Tool

posted Jun 2, 2006 - 7:52 PM

Then they *won't* be working for me. :)

End of story.

Score: 0

By kungfubeer

posted Jun 2, 2006 - 7:21 PM

Its not that we are too busy to care, its that we preach to the choir and nothing gets down until these things happen!

Score: 0

By bonefish

edited Jun 5, 2006 - 11:25 AM

This has nothing to do with IT Administrators. For one thing it's not their job. I'm so tired of people always blaming the Admins. Most of these people never have been on the other side and have no clue. Do they think that because the data is on a laptop then it’s IT’s responsibility? Well then what the hell are the Legal, HR and top level Exec’s doing? Delegating all of these decisions to the Admins? I seriously doubt it…

This is a corporate policy issue. If the data is sensitive then it should not be allowed of site. You think the CIA has floppy drives in their machines (god forbid laptops)? No, you know why? So the data doesn’t leave the building period. I don't care if it encrypted, written in hieroglyphics or pig Latin. If the right person gets a hold of the data consider it compromised. This is about top level executives not being responsible with customer information.

Score: 0

By FubarJeb

posted Jun 2, 2006 - 2:12 PM

Here we go again...

Score: 0

By chris7692

edited Jun 4, 2006 - 3:39 PM

Ernst & Young should be held accountable. Forget the company... your accounting firm in 2006 should not leave this data around unprotected. This could have happened to any of their 1000's of companies that they do auditing for and now this poor company is getting the shaft due to the incompetence of E&Y.

Score: 0

Dec 1 - 3:51 PM ET 'Xohm' makes way for 'Clear,' as Sprint/Clearwire merger moves ahead

Dec 1 - 2:01 PM ET Chasing down the latest Cyber Monday tech deals

Dec 1 - 12:50 PM ET Will 'Cyber Monday' fare better than a weak 'Black Friday?'

Dec 1 - 12:38 PM ET Microsoft Cashback goes offline to Black Friday shoppers

Dec 1 - 11:19 AM ET DTV broadcasters could make another transition to mobile next year

Nov 29 - 1:41 PM ET Teacher must still surrender license in bizarre 'exposure to porn' suit

Nov 26 - 9:19 PM ET Spambots edge back online post-McColo

Nov 26 - 9:17 PM ET Connecting the Black Friday dots: What to expect from CE retail

Nov 26 - 9:09 PM ET Google admits that its iPhone voice search breaks Apple's rules

Nov 26 - 5:15 PM ET Apple uses DMCA as a weapon against an open source iTunes hack