[ISN] Lost Ernst & Young laptop exposes IBM staff

InfoSec News isn at c4i.org
Fri Mar 17 03:35:09 EST 2006


By Ashlee Vance in Mountain View
15th March 2006 

Exclusive - Ernst & Young has lost another laptop containing the
social security numbers and other personal information of its clients'
employees. This time, the incident puts thousands of IBM workers at

Ex-IBM employees are also affected.

The Register has learned that the laptop was stolen from an Ernst &
Young employee's car in January. The employee handled some of the tax
functions Ernst & Young does for IBM workers who have been stationed
overseas at one time or another during their careers. As a result of
the theft, the names, dates of birth, genders, family sizes, SSNs and
tax identifiers for IBM employees have been exposed.

The husband of one IBM employee has provided The Register with an
exclusive copy of the letter Ernst & Young mailed out to the affected
parties. This particular letter did not arrive until 8 March - two
months after the theft.

Neither IBM nor Ernst & Young have returned calls seeking comment.

Last month, The Register revealed that another Ernst & Young laptop
theft had exposed the social security number and other personal
information of Sun Microystems CEO Scott McNealy and an unknown number
of other people. Since our story ran, a Cisco employee informed us
that his data was on the same laptop as the one containing McNealy's

The loss of the IBM data outraged Jeff Moran, the husband of the IBM
worker told of the data breach.

"Ernst & Young has a policy that this type of information is not
supposed to be on a laptop," Moran said. "Yet, these guys download the
data because it's convenient for them."

"All of our information is out there, and they didn't bother to tell
us until March. By that time, the thief would have already used the
information. This is an outrage, but until Congress starts punishing
these guys, nothing will happen."

The letter from Ernst & Young states that the company does tax work
for current and former overseas workers of IBM. In this role, the
auditing firm needs information such as an employee's address, family
size, US social security number and tax identification number. It then
holds onto this information for at least seven years.

"The employee whose laptop was stolen is part of a group in our tax
practice that works regularly with historical data files, assisting
our Global Mobility and other tax professionals with data conversion,
formatting and analysis," Ernst and Young wrote in the letter. "In
connection with his job, the employee ran reports, which result in
files being created on the laptop.

"We have determined that the laptop contained various personal
information for a select number of IBM employees. Among the items of
information included for some or all of these employees were name,
address, US social security number, email address, and country where

Nothing short of a nirvana for an identity thief.

Ernst & Young has offered those affected a free, 12 month credit
monitoring service provided by Experian. The service includes a
hotline that IBM employees can call. Moran made such a call and found
the staffer to be most unhelpful.

"I left my name and number and no one called me back for ages," he
said. "Then the guy says that this will never happen again in the
future. So, I pointed out that they had lost McNealy's information
after our thing happened. He didn't have a response to that."

We called the Ernst and Young hotline for IBM employees and asked if
it was the right place to ask about the IBM workers who had their data
exposed via the laptop theft. The employee responded with a curt,
"yes" but would provide no other information.

Following the Sun/Cisco incident, Ernst & Young filed a police report
in Miami, noting that it had lost four more laptops. Its employees
left the systems in a conference room when they went out for lunch. A
security camera at the conference center showed that it took all of
about five minutes for two people to steal the laptops.

Ernst & Young maintains that the laptops are password protected and do
not pose a significant security risk.

But such statements have not impressed security experts following the

"For a big four firm consisting of auditors and compliance
professionals to say such a thing is very revealing of their lack of
understanding and ignorance of security controls (and how to defeat
them)," wrote one Register reader.

"I work for a information security consulting company and we routinely
demonstrate to our customers how simple it is to
circumvent/bypass/subvert security controls in order to gain access to
personal computing devices -even those that are deemed to be secure as
a result of the implemented security - BIOS password, hard drive
password, OS password, strong authentication, etc."

Other readers backed up this sentiment, saying that their experience
with the big four accounting firms shows that the companies rarely
encrypt data on laptops or use sophisticated security measures.

Ernst & Young continues to avoid copping to these incidents in public,
preferring for us and police blotters to expose the details. It's
unclear how many more laptops have gone missing and have not been
reported, and the company's security measures seem disconcerting to
say the least for a company that specialises in accounting and
auditing. Ernst & Young often gets paid to assess how well clients are
complying with government policies around data protection and how
forthcoming these clients are with discussing data breaches.

Ernst & Young has yet to return our calls seeking information about
what is being done to prevent future losses, whether this data should
have been on laptops in the first place and if anyone has been held
accountable for the string of breaches. ®

More information about the ISN mailing list