Sunday, June 04, 2006

Incident: customer info on laptop stolen from auditor in February

OK. Now I'm a little mad. Another laptop reportedly stolen from an auditor. These have gotten too routine.

But this time, there's a good chance my personal information may have been on the stolen laptop. The data is from, a subsidiary of This company also handles hotels booked through the Air Canada website using their Destina service. This is a service I've used in the past.

I haven't gotten a letter, but with information on 243,000 customers, I expect this is a subset of customers from 2002, 2003, 2004.

It is particularly rich that and Ernst & Young is suggesting that customers "take appropriate action to protect their personal information". Hello? You're suggesting that I take appropriate action to protect my personal information? How about you and your auditors taking appropriate action to protect my personal information. You can start by not letting it leave the building on a laptop. But if you don't follow that basic step, you could think about encrypting the information.

Here's the story from the Associated Press: customer info may be at risk - Yahoo! News:

SEATTLE - Thousands of customers may be at risk for credit card fraud after a laptop computer containing their personal information was stolen from an auditor, a company spokesman said Saturday.

The password-protected laptop belonging to an Ernst & Young auditor was taken in late February from a locked car, said Paul Kranhold, spokesman for, a subsidiary of based in Bellevue, Wash.

"As a result of our ongoing communication with law enforcement, we don't have any indication that any credit card numbers have been used for fraudulent activity," Kranhold said. "It appears the laptop was not the target of the break-in."

Both and Ernst & Young mailed letters to customers this past week encouraging them to take appropriate action to protect their personal information.

The transactions recorded on the laptop were mostly from 2004, although some were from 2003 or 2002, the companies said. The computer contained personal information including names, addresses and credit card information of about 243,000 customers. It did not include their Social Security numbers.

Ernst & Young, which has been the outside auditor for for several years, notified the company of the security breach on May 3.

"We deeply regret this incident has occurred and want to apologize to you and for any inconvenience or concern this may cause," said the unsigned memo from Ernst & Young dated May 2006.

Ernst & Young invites those affected by the incident to enroll in a free credit monitoring service arranged by the auditor.

"We sincerely regret that this incident occurred and we are taking it very seriously," said the letter signed by general manager Sean Kell.

The letter from said "Ernst & Young was taking additional steps to protect the confidentiality of its data, including encrypting the sensitive information we provide to them as part of the audit process."


Rob Hyndman said...

David -

What's particularly troubling is that an auditor was taking inadequate measures. Perhaps you've seen other incidents involving the big (what is it now - 5, 4, 3?) auditors, but this is a first for me.

What's next, Skadden Arps? Clifford Chance?


David T.S. Fraser said...

Thanks for the comment, Rob.

There have been other auditors involved in privacy/security breaches. The best catalog of incidents is maintained here by PrivacyRights.Org.

It includes the following:

Feb. 23, 2006
Deloitte & Touche (McAfee employee information)
External auditor lost a CD with names, Social Security numbers and stock holdings in McAfee of current and former McAfee employees. 9,290

Mar. 15, 2006
Ernst & Young (UK)
Laptop lost containing the names, dates of birth, genders, family sizes, Social Security numbers and tax identifiers for current and previous IBM, Sun Microsystems, Cisco, Nokia and BP employees exposed. Unknown

May 19, 2006
American Institute of Certified Public Accountants (AICPA)
(New York, NY)

An unencrypted hard drive containing names, addresses and Social Security numbers of AICPA members was lost when it was shipped back to the organization by a computer repair company.