Sunday, June 04, 2006

Incident: Hotels.com customer info on laptop stolen from auditor in February

OK. Now I'm a little mad. Another laptop reportedly stolen from an auditor. These have gotten too routine.

But this time, there's a good chance my personal information may have been on the stolen laptop. The data is from Hotels.com, a subsidiary of Expedia.com. This company also handles hotels booked through the Air Canada website using their Destina service. This is a service I've used in the past.

I haven't gotten a letter, but with information on 243,000 customers, I expect this is a subset of customers from 2002, 2003, 2004.

It is particularly rich that Hotels.com and Ernst & Young is suggesting that customers "take appropriate action to protect their personal information". Hello? You're suggesting that I take appropriate action to protect my personal information? How about you and your auditors taking appropriate action to protect my personal information. You can start by not letting it leave the building on a laptop. But if you don't follow that basic step, you could think about encrypting the information.

Here's the story from the Associated Press:

Hotels.com customer info may be at risk - Yahoo! News:

SEATTLE - Thousands of Hotels.com customers may be at risk for credit card fraud after a laptop computer containing their personal information was stolen from an auditor, a company spokesman said Saturday.

The password-protected laptop belonging to an Ernst & Young auditor was taken in late February from a locked car, said Paul Kranhold, spokesman for Hotels.com, a subsidiary of Expedia.com based in Bellevue, Wash.

"As a result of our ongoing communication with law enforcement, we don't have any indication that any credit card numbers have been used for fraudulent activity," Kranhold said. "It appears the laptop was not the target of the break-in."

Both Hotels.com and Ernst & Young mailed letters to Hotels.com customers this past week encouraging them to take appropriate action to protect their personal information.

The transactions recorded on the laptop were mostly from 2004, although some were from 2003 or 2002, the companies said. The computer contained personal information including names, addresses and credit card information of about 243,000 Hotels.com customers. It did not include their Social Security numbers.

Ernst & Young, which has been the outside auditor for Hotels.com for several years, notified the company of the security breach on May 3.

"We deeply regret this incident has occurred and want to apologize to you and Hotels.com for any inconvenience or concern this may cause," said the unsigned memo from Ernst & Young dated May 2006.

Ernst & Young invites those affected by the incident to enroll in a free credit monitoring service arranged by the auditor.

"We sincerely regret that this incident occurred and we are taking it very seriously," said the letter signed by Hotels.com general manager Sean Kell.

The letter from Hotels.com said "Ernst & Young was taking additional steps to protect the confidentiality of its data, including encrypting the sensitive information we provide to them as part of the audit process."

2 comments:

Rob Hyndman said...

David -

What's particularly troubling is that an auditor was taking inadequate measures. Perhaps you've seen other incidents involving the big (what is it now - 5, 4, 3?) auditors, but this is a first for me.

What's next, Skadden Arps? Clifford Chance?

Incredible!!

David T.S. Fraser said...

Thanks for the comment, Rob.

There have been other auditors involved in privacy/security breaches. The best catalog of incidents is maintained here by PrivacyRights.Org.

It includes the following:

Feb. 23, 2006
Deloitte & Touche (McAfee employee information)
External auditor lost a CD with names, Social Security numbers and stock holdings in McAfee of current and former McAfee employees. 9,290

Mar. 15, 2006
Ernst & Young (UK)
Laptop lost containing the names, dates of birth, genders, family sizes, Social Security numbers and tax identifiers for current and previous IBM, Sun Microsystems, Cisco, Nokia and BP employees exposed. Unknown

May 19, 2006
American Institute of Certified Public Accountants (AICPA)
(New York, NY)

An unencrypted hard drive containing names, addresses and Social Security numbers of AICPA members was lost when it was shipped back to the organization by a computer repair company.
300,000