[ISN] Ernst & Young laptop loss exposes 243, 000 Hotels.com customers

InfoSec News isn at c4i.org
Fri Jun 2 01:16:58 EDT 2006


By Ashlee Vance in Mountain View
1st June 2006

Exclusive - Ernst & Young's laptop loss unit continues to be one of
the company's more productive divisions. We learn this week that the
accounting firm lost a system containing data on 243,000 Hotels.com
customers. Hotels.com joins the likes of Sun Microsystems, IBM, Cisco,
BP and Nokia, which have all had their employees' data exposed by
Ernst & Young, as revealed here in a series of exclusive stories.

The Register can again exclusively confirm the loss of the Hotels.com
customer information after having received a copy of a letter mailed
out jointly by the web site and Ernst & Young. A Hotels.com spokesman
also confirmed the data breach, saying Ernst & Young notified the
company of the laptop loss on May 3. The laptop in question was stolen
from an Ernst & Young worker's car in Texas and did have some basic
data protection mechanisms such as, erm, the need for a password.

"Recently, Hotels.com was informed by its outside auditor, Ernst &
Young, that one of Ernst & Young's employees had his laptop computer
stolen," Hotels.com told its customers in the letter. "Unfortunately,
the computer contained certain information about customer transactions
with Hotels.com, and other sites through which we provide booking
services directly to customers, from 2002 through 2004.

"This information may have included your name, address and some credit
or debit card information you provided at that time."

Ernst & Young in February lost one laptop that held information on
what's believed to be tens of thousands of Sun, IBM, Cisco, BP and
Nokia employees. It's not clear if this was the same system in the
Hotels.com incident. Ernst & Young has not returned our calls seeking
comment and has been reluctant to provide information on these
incidents in the past.

Ernst & Young in February also lost four laptops in Miami when its
workers decided to leave their systems in a hotel conference room
while they went out for lunch.

Major media outlets have so far ignored the Ernst & Young laptop
incidents, although they were quick to follow on our confirmation of a
Fidelity data breach that saw 200,000 HP workers have their
information exposed.

Ernst & Young offers a variety of security services to customers, and
encourages clients to be transparent with their policies around
customer data issues. The company, however, has not exactly been
proactive with regard to its own issues. ®

More information about the ISN mailing list