[ISN] 40,000 BP workers exposed in Ernst & Young laptop loss

InfoSec News isn at c4i.org
Fri Mar 24 03:41:19 EST 2006


By Ashlee Vance in Mountain View
23rd March 2006

Exclusive - Like sands through the hourglass, these are The Days of
Ernst & Young laptop loss. Yes, friends, The Register can confirm that
BP has been added to the list of Ernst & Young customers whose
personal data has been exposed after a laptop theft. BP joins Sun
Microsystems, Cisco and IBM in this not so exclusive club.

Ernst & Young has sent out a letter to all 38,000 BP employees in the
US, telling them that a laptop theft had exposed their names and
social security numbers. To keep the BP staff's mind at ease, Ernst &
Young said that the file name containing their info did not indicate
what type of information was on the laptop, and the laptop was
password protected. Phew!

Ernst & Young confirmed that this is the very same laptop that held
data on the Sun, Cisco and IBM workers. All of these data losses were
revealed by us in a set of exclusive stories. Ernst & Young also
recently lost four more laptops in Miami, although it has not said
which customers were affected in those incidents.

Oddly, the Ernst & Young saga has gone untouched by other media
outlets. That's somewhat surprising given the vigor with which
security reporters chased down our initial confirmation yesterday that
a Fidelity Investments laptop loss had exposed the personal
information of 200,000 HP employees.

Ernst & Young continues to maintain a code of silence around the
laptop thefts, saying only that the BP/Sun/IBM/Cisco machine was
password protected. This speak no evil policy has resulted in a string
of stories as Ernst & Young customers are told one by one about the

It's difficult to obtain an exact figure on how many people have been
affected by Ernst & Young's security lapse given that it won't say
anything on the subject. We do, however, know that the IBM data breach
exposed all current and former employees who have worked overseas at
some point in their career. So, we're likely talking well over 100,000
people in that one incident.

You have to wonder how long these thefts can continue before the
financial services companies start explaining why key customer data
was sitting on laptops and why workers felt it okay to leave these
laptops in their cars or in conference rooms. The lack of action on
their part will no doubt encourage legislators to step in at some

Keep your letters coming. ®

More information about the ISN mailing list