June 2, 2006 8:45 AM PDT

Laptop theft exposes Hotels.com data

A seemingly random theft has led to another potential breach of personal data--this time name, address and credit card information from Hotels.com customers.

A laptop belonging to an Ernst & Young employee was stolen in a car theft earlier this year. Ernst & Young is the auditor for Hotels.com, an Expedia company, and the laptop contained personal data on Hotels.com customers.

Hotels.com was notified of the theft of the laptop, which contained data for about 243,000 customers, on May 3, a representative for Hotels.com said. "Ernst & Young informed us that the vehicle was broken into in late February," said the representative. "We immediately began reconstructing the data. Once we were notified, we began working as expeditiously as possible to determine which customers were impacted and to notify them. We began sending letters to affected customers last week."

"We're the auditor for Expedia; this was part of the audit," Ken Kerrigan, deputy director of public relations for Ernst & Young, told CNET News.com on Friday. Ernst & Young was in the process of doing the audit when the car theft took place, making it entirely proper for the employee to be in possession of the information via laptop, Kerrigan said.

CNET News.com obtained copies of both the Hotels.com and Ernst & Young letters to affected customers.

According to the Ernst & Young letter, the Hotels.com file held certain personal information related to Hotels.com transactions, primarily from the year 2004. There were also a small number of transactions from 2003 and 2002. "We believe the transactions may have involved the payment card you used with Hotels.com or another Web site through which Hotels.com provided booking services directly to customers. Specifically, the information on the laptop may have included your name, address and some credit or debit card information you provided," the letter said.

The Hotels.com letter gives information on a toll-free call center to assist customers with questions, an offer for a free credit-monitoring service and instructions on how to file a fraud alert with credit card companies. Hotels.com has also contacted the credit card companies and informed them of specific customers whose cards have been compromised, the Hotels.com representative said.

While Kerrigan said he believes the incident was "just a car theft," the financial company has taken steps to more strongly protect confidential data.

Got views on Vista?

"For the U.S. and Canada, as of May 31, 30,000 of our employees, which I believe is everyone, have password-protection and encryption software on their computers," Kerrigan said. He did not specify which vendor was providing the encryption software. "This computer was stolen before it was encrypted. It was password protected, but not with encryption software."

Ernst & Young has had other employee laptops stolen this year as well, according to news reports. The company said it is working with authorities on the latest laptop theft.

"At this time, we have no indication the information has been accessed or misused in any way," Ernst & Young said in a statement regarding the latest incident. "We are working closely with Hotels.com to reach out to their customers whose information was on the computer."

This incident is just one in a long line of security threats tied to misplaced, lost and stolen data.

On Thursday, the Texas Guaranteed Student Loan company reported that 1.3 million customers are in danger of ID theft, after an IT consultant lost hardware containing sensitive data. On May 22, the data of 26.5 million U.S. veterans and their spouses was stolen from a government employee who brought work home via a laptop. The day before that, it was discovered that hackers had possessed yearlong access to Ohio University servers. In April, it was discovered that a University of Southern California hacker gained access to the information of perspective students.

See more CNET content tagged:
Hotels.com, Expedia Inc., theft, incident, transaction


Join the conversation!
Add your comment
How useless these people are
I carry a laptop with me all the time and never ever do I leave it in a car, no matter what. And, mind you, i don't carry social security numbers on 200,000+ people...
These companies, and their employers, need to be punished hard for putting us all at risk.
Posted by lat3rintheday (3 comments )
Reply Link Flag
When will the learn? Secure those Laptops
I wonder exactly where the laptop was in the vehicle or even if the car was locked. A NW provider, Providence had several laptops stolen and once the machine was in plain view with the door unlocked. Companies and the Government aren't making it very difficult for thieves because they're not protecting their data with Remote Laptop Security measures <a class="jive-link-external" href="http://www.essentialsecurity.com/FAQ.htm#3.8.9" target="_newWindow">http://www.essentialsecurity.com/FAQ.htm#3.8.9</a>

Fidelity, the VA, Bank Of America, Boeing... the laptop theft list just keeps growing. Are they ever going to learn? <a class="jive-link-external" href="http://www.iwantmyess.com/?p=58" target="_newWindow">http://www.iwantmyess.com/?p=58</a>
Posted by marileev (292 comments )
Reply Link Flag
These people...
will only learn when it hits them in the wallet.
Posted by cashaww (77 comments )
Link Flag
carelessness with company property
Unfortunately, I think sometimes employees get careless with company laptops. Some employees don't take the same care if they purchased the machine themselves. If people though about $749 to $1299 dollars sitting in plain view in their cars, they wouldn't just leave their laptop. They would probably take the same care you do Lat3rintheday <a class="jive-link-external" href="http://www.essentialsecurity.com/educationalfacts.htm" target="_newWindow">http://www.essentialsecurity.com/educationalfacts.htm</a>
Posted by marileev (292 comments )
Reply Link Flag
Seriously people, if you have to work on sensitive documents or data, have that tied to a desk workstation in an actual office, where physical security measure can also play a part in keeping the information safe.
There is NO reason why you should be using a laptop if you work with or are in charge with this type of data, EVER.
Posted by Kindred_ (10 comments )
Reply Link Flag
SOX & GLBA + Risk Training
Companies have an opportunity to learn from the misfortunes of Hotels.com/Earnst &#38; Young, and the other enterprises who've succumbed to Laptop and information breaches. The most effective plan is thorough Risk Training and implementing software which suits your business needs and complies with codes like SOX or Gramm-Leach-Bliley:

GLBA (U.S. Code) 6801 - Customer/client confidentiality and security must be guaranteed. Records and information must be protected against any anticipated threats, hazards and unauthorized access.

Once employees understand the risks of data loss they will (hopefully) do business smarter by securing their documents, emails and laptops <a class="jive-link-external" href="http://www.essentialsecurity.com/Documents/article16.htm" target="_newWindow">http://www.essentialsecurity.com/Documents/article16.htm</a>

We should take a page from Warren Buffett's Lessons for Corporate America "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently."
Posted by marileev (292 comments )
Link Flag
Need Whole Disk Encryption
I think something more appropriate for securing data at rest like this would be a whole-disk encryption program such as comes with PGP Desktop 9. I don't store any corporate data on my notebook, just personal info like bank account numbers, and I would not take a computer out of my home office without using a whole disk encryption program. If you can't afford PGP Desktop 9 (www.pgp.com), check out TrueCrypt (www.truecrypt.com). It's totally shameful that these data losses are continuing and seem to be getting worse.
Posted by czmyt (70 comments )
Reply Link Flag
Dopey Morons
What stupid, careless, a-holes. Maybe there should be a law that says because cavalier employees don't seem to give a toss about what happens to other people's information, they should be restricted to using desktop computers. Or maybe a law that says if you leave a laptop laying around in a car, and it gets stolen, and data gets compromised, it's an automatic 20 years in federal prison.
Posted by foxlake (6 comments )
Reply Link Flag
It makes you wonder
just how many of these "random break-ins" are accidents! I would imagine some organized crime rings would pay a great deal for this much info!
I leave my laptop in my car all the time( nothing important on it)and its never been taken! Just makes ya wonder!!!
Posted by jaberd (1 comment )
Reply Link Flag
lack of trust= lack of business
Some companies don't see Risk Education as an important factor. Being careful and securing laptops will in the end hurt them financially. When businesses aren't seen as trustworthy clients/customers will find someone else to do business with <a class="jive-link-external" href="http://www.essentialsecurity.com/Documents/article2.htm" target="_newWindow">http://www.essentialsecurity.com/Documents/article2.htm</a>
Posted by marileev (292 comments )
Reply Link Flag
An auditor that stupid?
One of the services that E&#38;Y proudly provides is computer and data security audit. Makes you wonder...

I am a business consultant. I NEVER leave my laptop in a car.
Posted by Lemiz (6 comments )
Reply Link Flag
Failure by Design
Isn't it time to start holding the business, system, application and data designers responsible for these data thefts?

After years of exposures of private data, we still have applications designed and developed with private data co-mingled with other data. Private data needs to be placed 'behind the wall', secured, encrypted and blocked from the general users -- yes, even including auditors.

That the data is not segregated and secured is an architectural failure, attributable directly to those "professionals" who allow private data to be abused in the first place.
Posted by bw49 (5 comments )
Reply Link Flag
E&Y Customers Are Also To Blame
I work with auditors all the time. We NEVER allow them to take sensitive info out of our facilities. What was Hotels.com thinking when they handed over their customer transaction logs? Or IBM when they gave out the personnel file?
Posted by ll04269 (1 comment )
Reply Link Flag
Sounds great.

&lt;a href="http://www.hotelicia.com"&gt;hotels&lt;/a&gt;
Posted by madirid (20 comments )
Reply Link Flag
Sounds great.

Posted by madirid (20 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.