A seemingly random theft has led to another potential breach of personal data--this time name, address and credit card information from Hotels.com customers.
A laptop belonging to an Ernst & Young employee was stolen in a car theft earlier this year. Ernst & Young is the auditor for Hotels.com, an Expedia company, and the laptop contained personal data on Hotels.com customers.
Hotels.com was notified of the theft of the laptop, which contained data for about 243,000 customers, on May 3, a representative for Hotels.com said. "Ernst & Young informed us that the vehicle was broken into in late February," said the representative. "We immediately began reconstructing the data. Once we were notified, we began working as expeditiously as possible to determine which customers were impacted and to notify them. We began sending letters to affected customers last week."
"We're the auditor for Expedia; this was part of the audit," Ken Kerrigan, deputy director of public relations for Ernst & Young, told CNET News.com on Friday. Ernst & Young was in the process of doing the audit when the car theft took place, making it entirely proper for the employee to be in possession of the information via laptop, Kerrigan said.
CNET News.com obtained copies of both the Hotels.com and Ernst & Young letters to affected customers.
According to the Ernst & Young letter, the Hotels.com file held certain personal information related to Hotels.com transactions, primarily from the year 2004. There were also a small number of transactions from 2003 and 2002. "We believe the transactions may have involved the payment card you used with Hotels.com or another Web site through which Hotels.com provided booking services directly to customers. Specifically, the information on the laptop may have included your name, address and some credit or debit card information you provided," the letter said.
The Hotels.com letter gives information on a toll-free call center to assist customers with questions, an offer for a free credit-monitoring service and instructions on how to file a fraud alert with credit card companies. Hotels.com has also contacted the credit card companies and informed them of specific customers whose cards have been compromised, the Hotels.com representative said.
While Kerrigan said he believes the incident was "just a car theft," the financial company has taken steps to more strongly protect confidential data.
"For the U.S. and Canada, as of May 31, 30,000 of our employees, which I believe is everyone, have password-protection and encryption software on their computers," Kerrigan said. He did not specify which vendor was providing the encryption software. "This computer was stolen before it was encrypted. It was password protected, but not with encryption software."
Ernst & Young has had other employee laptops stolen this year as well, according to news reports. The company said it is working with authorities on the latest laptop theft.
"At this time, we have no indication the information has been accessed or misused in any way," Ernst & Young said in a statement regarding the latest incident. "We are working closely with Hotels.com to reach out to their customers whose information was on the computer."
I carry a laptop with me all the time and never ever do I leave it in a car, no matter what. And, mind you, i don't carry social security numbers on 200,000+ people... These companies, and their employers, need to be punished hard for putting us all at risk.
I wonder exactly where the laptop was in the vehicle or even if the car was locked. A NW provider, Providence had several laptops stolen and once the machine was in plain view with the door unlocked. Companies and the Government aren't making it very difficult for thieves because they're not protecting their data with Remote Laptop Security measures <a class="jive-link-external" href="http://www.essentialsecurity.com/FAQ.htm#3.8.9" target="_newWindow">http://www.essentialsecurity.com/FAQ.htm#3.8.9</a>
Fidelity, the VA, Bank Of America, Boeing... the laptop theft list just keeps growing. Are they ever going to learn? <a class="jive-link-external" href="http://www.iwantmyess.com/?p=58" target="_newWindow">http://www.iwantmyess.com/?p=58</a>
Unfortunately, I think sometimes employees get careless with company laptops. Some employees don't take the same care if they purchased the machine themselves. If people though about $749 to $1299 dollars sitting in plain view in their cars, they wouldn't just leave their laptop. They would probably take the same care you do Lat3rintheday <a class="jive-link-external" href="http://www.essentialsecurity.com/educationalfacts.htm" target="_newWindow">http://www.essentialsecurity.com/educationalfacts.htm</a>
Seriously people, if you have to work on sensitive documents or data, have that tied to a desk workstation in an actual office, where physical security measure can also play a part in keeping the information safe. There is NO reason why you should be using a laptop if you work with or are in charge with this type of data, EVER.
Companies have an opportunity to learn from the misfortunes of Hotels.com/Earnst & Young, and the other enterprises who've succumbed to Laptop and information breaches. The most effective plan is thorough Risk Training and implementing software which suits your business needs and complies with codes like SOX or Gramm-Leach-Bliley:
GLBA (U.S. Code) 6801 - Customer/client confidentiality and security must be guaranteed. Records and information must be protected against any anticipated threats, hazards and unauthorized access.
Once employees understand the risks of data loss they will (hopefully) do business smarter by securing their documents, emails and laptops <a class="jive-link-external" href="http://www.essentialsecurity.com/Documents/article16.htm" target="_newWindow">http://www.essentialsecurity.com/Documents/article16.htm</a>
We should take a page from Warren Buffett's Lessons for Corporate America "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently."
I think something more appropriate for securing data at rest like this would be a whole-disk encryption program such as comes with PGP Desktop 9. I don't store any corporate data on my notebook, just personal info like bank account numbers, and I would not take a computer out of my home office without using a whole disk encryption program. If you can't afford PGP Desktop 9 (www.pgp.com), check out TrueCrypt (www.truecrypt.com). It's totally shameful that these data losses are continuing and seem to be getting worse.
What stupid, careless, a-holes. Maybe there should be a law that says because cavalier employees don't seem to give a toss about what happens to other people's information, they should be restricted to using desktop computers. Or maybe a law that says if you leave a laptop laying around in a car, and it gets stolen, and data gets compromised, it's an automatic 20 years in federal prison.
just how many of these "random break-ins" are accidents! I would imagine some organized crime rings would pay a great deal for this much info! I leave my laptop in my car all the time( nothing important on it)and its never been taken! Just makes ya wonder!!!
Some companies don't see Risk Education as an important factor. Being careful and securing laptops will in the end hurt them financially. When businesses aren't seen as trustworthy clients/customers will find someone else to do business with <a class="jive-link-external" href="http://www.essentialsecurity.com/Documents/article2.htm" target="_newWindow">http://www.essentialsecurity.com/Documents/article2.htm</a>
Isn't it time to start holding the business, system, application and data designers responsible for these data thefts?
After years of exposures of private data, we still have applications designed and developed with private data co-mingled with other data. Private data needs to be placed 'behind the wall', secured, encrypted and blocked from the general users -- yes, even including auditors.
That the data is not segregated and secured is an architectural failure, attributable directly to those "professionals" who allow private data to be abused in the first place.
I work with auditors all the time. We NEVER allow them to take sensitive info out of our facilities. What was Hotels.com thinking when they handed over their customer transaction logs? Or IBM when they gave out the personnel file?
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
Tor's "obfsproxy" technology would make encrypted data look innocuous and let it dodge government censors. That could help citizens in Iran reach blocked sites as antigovernment protests reportedly loom.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
These companies, and their employers, need to be punished hard for putting us all at risk.
Fidelity, the VA, Bank Of America, Boeing... the laptop theft list just keeps growing. Are they ever going to learn? <a class="jive-link-external" href="http://www.iwantmyess.com/?p=58" target="_newWindow">http://www.iwantmyess.com/?p=58</a>
There is NO reason why you should be using a laptop if you work with or are in charge with this type of data, EVER.
GLBA (U.S. Code) 6801 - Customer/client confidentiality and security must be guaranteed. Records and information must be protected against any anticipated threats, hazards and unauthorized access.
Once employees understand the risks of data loss they will (hopefully) do business smarter by securing their documents, emails and laptops <a class="jive-link-external" href="http://www.essentialsecurity.com/Documents/article16.htm" target="_newWindow">http://www.essentialsecurity.com/Documents/article16.htm</a>
We should take a page from Warren Buffett's Lessons for Corporate America "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently."
I leave my laptop in my car all the time( nothing important on it)and its never been taken! Just makes ya wonder!!!
I am a business consultant. I NEVER leave my laptop in a car.
After years of exposures of private data, we still have applications designed and developed with private data co-mingled with other data. Private data needs to be placed 'behind the wall', secured, encrypted and blocked from the general users -- yes, even including auditors.
That the data is not segregated and secured is an architectural failure, attributable directly to those "professionals" who allow private data to be abused in the first place.
<a href="http://www.hotelicia.com">hotels</a>
http://www.hotelicia.com