Emulating the respect for client security so aptly demonstrated by the Veterans Administration, an employee of trusted auditor Ernst & Young lost the personal data… including many credit card numbers belonging to nearly a quarter million customers of Hotels.com.
The Register’s Ashlee Vance reports that the ostensible idiot had stored the data on a laptop, then left it in the car from which the computer escaped with the help of a thief.
Luckily, Hotels.com has a Security Policy:
When users submit sensitive information via the website, their information is protected both online and off-line.When our reservation order form asks users to enter sensitive information (such as credit card number), that information is encrypted and is protected with the best encryption software in the industry - Secure Socket Layer (SSL). While on a secure page, such as our order form, the lock icon on the bottom of Web browsers such as Netscape Navigator and Microsoft Internet Explorer becomes locked, as opposed to un-locked, or open, when users are just surfing.
While we use SSL encryption to protect sensitive information online, we also protect user-information off-line. All of our users’ information, not just the sensitive information mentioned above, is restricted in our offices. Only employees who need the information to perform a specific job (for example, our billing clerk or a customer service representative) are granted access to personally identifiable information. Finally, the servers that store personally identifiable information are in a secure environment, in a locked facility.
Unfortunately, the policy doesn’t mention laptops lost by poorly trained employees of trusted auditing companies.
Unlike the VA analyst who lost 26.5 million vets’ records, the Ernst & Young thief will need a password to access the data. That could retard the process of data extraction by an hour or more, as the crook locates, downloads, and applies the appropriate password cracking software.
According to Vance, this is the fourth time the trusted auditor has lost data through apparent gross negligence. Remember the laptops stolen from the Miami conference room when the EY crew left them behind for lunch? Wow.
On Ernst & Young’s website, the global business advisor asks, “Does your organization have the flexibility to react quickly to changes in your external environment?”
We know one outfit that can’t possibly help you answer that question.
2 comments
Comments feed for this article
June 2nd, 2006 at 3:08 pm
Mick
Yippie!!! First post, first post!!!!
I guess I can take Hotels.com off my list of trusted sites.
Seriously though, am I the only one wondering what the hell all of this sensitive information is doing on laptops in the first place? Shouldn’t information like this be made less portable, not more?
The dipstick employees that are carting this information all over town need to be publicly flogged. A heavy hand is the only suitable response to this sort of insolence. Of course, we’ll probably get nothing more than a big “oops” out of it.
June 2nd, 2006 at 3:41 pm
BJ Gillette
The biggest threat to database security is and always has been the slipshod users with authorization to access the data.