The Register is reporting on Ernst & Young’s loss of a laptop which had information on around 243,000 hotels.com customers. Apparently Hotels.com was notified on May 3rd. Apparently the laptop made use of a password as the only security measure. From the article….
“Recently, Hotels.com was informed by its outside auditor, Ernst & Young, that one of Ernst & Young’s employees had his laptop computer stolen,” Hotels.com told its customers in the letter. “Unfortunately, the computer contained certain information about customer transactions with Hotels.com, and other sites through which we provide booking services directly to customers, from 2002 through 2004.
“This information may have included your name, address and some credit or debit card information you provided at that time.”
Ernst & Young in February lost one laptop that held information on what’s believed to be tens of thousands of Sun, IBM, Cisco, BP and Nokia employees. It’s not clear if this was the same system in the Hotels.com incident. Ernst & Young has not returned our calls seeking comment and has been reluctant to provide information on these incidents in the past.
Ouch – so Ernst & Young seems to be on a bit of a roll in the laptop loss area….
Ernst & Young in February also lost four laptops in Miami when its workers decided to leave their systems in a hotel conference room while they went out for lunch.
Ironically, Ernst & Young seems to encourage their clients to be open with Data security issues, while they seem to be fairly tight lipped on their own…..
Really and truly – I think we’re at a frightening point where most everyone will, at some point, in some way, be affected by the “loss” of a backup tape/disc, or notebook somewhere. EVEN THOSE that don’t do transactions online unfortunately are still at risk. As long as you have some sort of bank/credit account that someone keeps information on…. or a social security number (case in point VA data security breach…)
That’s just the tip of the iceberg though…..
We have This Security Fix article on a woman that had $200 worth of pizza delivered to her door by a local company. Apparently a prankster had called the local company, who, I suppose for convenience had kept her credit card information from the last order/visit……. So her information was on file in the pc’s database at the pizza shop. And what if they have a trojan/backdoor on their pc because when it’s slow “Bob” likes to browse the web?
Why do companies insist on saving information for convenience that could SO easily bite them in the back? Let me put it this way. If I were dealing with credit card transactions… which I’ve done just a very little of….. Find a third-party to process the data and NEVER EVER keep any of the information on file myself. I’m sorry if it’s inconvenient, I just don’t want to be responsible for anyone else’s information.
But…. there’s also this… not quite database mayhem, but it was described in a “we’re spinning to look good” sort of way… a “Phishing attempt…” that essentially HIJACKED the web pages of around 300 banks for a period of around 90 minutes….
The homepages of those banks were modified so that they would direct all online banking traffic to a malicious site in Madrid Spain to collect login credentials from unsuspecting customers.
George Ou had the first story I saw about it earlier today and this sort of thing should get MUCH tighter scrutiny in the press than it does. This was a hack – NOT a phishing attack. Goldleaf Technologies (the company handling the compromised sites) should be ASHAMED of itself for trying to get away with calling this a phishing attack. YES it was similar, the theives were trying to steal login information, but MOST IMPORTANTLY they hijacked the OFFICIAL BANK PAGES in order to do that. HACK. SECURITY BREACH. Period, end of story.
Between the Lines (another zdnet blog) is talking abou this same databreach today. Unfortunately, this has been widely UNDER-REPORTED and I am afraid the main reason is that most in the main media outlets are CLUELESS when it comes to reporting on technology issues. (Take the typical news coverage of computer viruses as a case in point.)
We DO need disclosure regulations of some sort. There SHOULD be a requirement of institutions to tell details of what happened, what they’re doing to prevent it from happening again, etc. AND THERE needs to be investigation of each incident by a third-party to verify that the organization is not giving a nice snow job in their disclosure. Some sort of incident auditing/computer forensic security auditor.
Well – get out the tinfoil hats I guess…. Makes me wonder how many organizations have had a database loss and never reported it?
Related PostsRelated Posts
- Why I chose the Kindle over the iPad, Nook, Sony ereader or any Tablet In the last several months (since the Kindle 3 came out) I've been seriously looking at ereaders. Of course, the iPad came out early this year and was all the buzz. It looks great of course and Apple really should be proud of making the tablet relevant. How many tablets......
- So who is behind Windows Police Pro Virus / Rogue Security Software? As I've seen the continuing FLOOD of searches for some way to Remove Windows Police Pro, I've been starting to wonder at the who is behind this particular piece of junk software. These programs aren't written by your average ordinary virus writer, there is really too much spit and polish......
- Another wolf in sheeps clothing I did an article a while back on "wolves in sheeps clothing" software that poses as security software but will usually turn around and bite you. Sunbeltblog has a post on another fake security center site. Keep an eye peeled for these, information is power in protecting yourself against this......
- Save Time, Money and Space in Over 80 Ways If you're looking for handy gadgets, tools and various items that can save you time, money or space (or all three!) this list of more than 80 top products is just what you need. Everyone's got saving money on their minds these days- whether your at the grocery store, or......
- Credit Card Mistakes That Can Destroy Your Credit Score There are a number of different credit card mistakes that people routinely make that can dramatically decrease their credit score, resulting in the person appearing less credit worthy to credit card lenders.Â Most of these common mistakes are things that people would not think of affecting their credit score, but......
- Prosper Ordered to Cease and Desist by SEC http://www.sec.gov/litigation/admin/2008/33-8984.pdf It appears to me that the ruling isÂ that they have been selling unregistered securities without a license.Â Â What does that mean for the lenders?Â Â Doesn't the board and company officers have some personal liability too? There is some discussion at prospers.org: http://www.prospers.org/forum/prosper_order_to_cease_and_desist_by_sec-t10903.0.html No one seems sure just yet... SEC: UNITED......
- New Data Leaks section
- Some companies unable to secure your data
- Atlantis resort in the Bahamas loses customer information…
- Chase throws data on 2.6 million customers in landfill
- How embarrasing… Computer security firms database hacked