homepage Welcome to WebmasterWorld Guest from 23.20.77.156
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Local / Foo
Forum Library, Charter, Moderators: incrediBILL & lawman

Foo Forum

This 40 message thread spans 2 pages: 40 ( [1] 2 > >     
Hotels.com credit-card numbers stolen
"..on a laptop stolen from an Ernst & Young employee."
walkman




msg:276282
 6:46 pm on Jun 2, 2006 (gmt 0)

"Ernst & Young added that the computer was password-protected there was no indication the information had been accessed or misused."
[money.cnn.com...]

these companies need to sued for a lot of money before they use encryptions and other secure methods. Average thief will probably sell it for $200 anyway--unless they see what's in there.

 

pageoneresults




msg:276283
 6:50 pm on Jun 2, 2006 (gmt 0)

The names and credit-card numbers of 243,000 Hotels.com customers were on a laptop computer stolen from an employee of accounting firm Ernst & Young, according to sources familiar with the matter.

Now why would an employee be carrying that type of information on their laptop? And if there was a reason, why wasn't that laptop handcuffed to their wrist? ;)

walkman




msg:276284
 6:53 pm on Jun 2, 2006 (gmt 0)

they are their auditors I assume, but still, why the credit cards? Unless they need them to reconcile or some other accounting thing. Either way, you can ruin a business this way.

DamonHD




msg:276285
 7:29 pm on Jun 2, 2006 (gmt 0)

Hi,

The big accounting companies *repeatedly* do this, while other parts of their business profitably spout off about security measures.

For once I'm entirely in favour of a litigious US citizen suing the fear of Arthur Anderson into them for being so negligent with other people's IDs and lives.

Rgds

Damon

Brett_Tabke




msg:276286
 7:35 pm on Jun 2, 2006 (gmt 0)

They were auditing the books of Hotels.com. That meant having the oracle db available. The cc numbers were stored in the db along with the rest of the sales/customer information.

I am stunned that ernst and young decided to report this at all. 99% of these cases the public never hears about. Which leads me to wonder if there is more to this story than is being told.

pageoneresults




msg:276287
 7:56 pm on Jun 2, 2006 (gmt 0)

The cc numbers were stored in the db along with the rest of the sales/customer information.

Would I be correct in assuming that the data on that laptop should have been treated as if it were cash on an armored truck? How or why would someone transport data in that manner without security, etc.?

This theft occurred in 2006 February.

LifeinAsia




msg:276288
 8:23 pm on Jun 2, 2006 (gmt 0)

Average thief will probably sell it for $200 anyway--unless they see what's in there.

And now that the story's been plastered all over, it's less likely it will get cheaply sold and more likely the laptop will fall into the hands of hackers who will easily get all the numbers.

walkman




msg:276289
 8:40 pm on Jun 2, 2006 (gmt 0)

Brett,
I think CA has laws that mandate some type of notification, and it's safe to say that at least one California resident used Hotels.com.

jimbeetle




msg:276290
 8:52 pm on Jun 2, 2006 (gmt 0)

...Ernst & Young only recently was able to determine what was on the computer's hard drive.

What, the thieves got away with the employee's voice, too?

youfoundjake




msg:276291
 9:28 pm on Jun 2, 2006 (gmt 0)

I think CA has laws that mandate some type of notification, and it's safe to say that at least one California resident used Hotels.com.

I believe that companies that are established in California need to notify the customers. Not the actual people residing in California. If the other way was true, we would be hearing alot more about identity theft if it was based on where the victims lived instead of where the company is located for disclosure purposes.

walkman




msg:276292
 10:37 pm on Jun 2, 2006 (gmt 0)

>> need to notify the customers. Not the actual people residing in California

better to issue a press release, at least you can sugarcoat it a bit. Once CA residents get those notices, don't you think the national media will find out right away?

walkman




msg:276293
 3:10 am on Jun 3, 2006 (gmt 0)

Another one:
"Medicare beneficiary data left in hotel"
An auditor for the Department of Health and Human Services' inspector general came across the information a few weeks later when using the same hotel computer in Baltimore, Medicare officials disclosed Friday."

"The Medicare incident comes just a month after the theft of a computer containing personal information about 26.5 million veterans."
[news.yahoo.com...]

Anyone seeing an opportunity to start a new business here?

henry0




msg:276294
 11:32 am on Jun 3, 2006 (gmt 0)

As soon as I heard about it, even before reading through the thread I was thinking that it should be a law stating that CC should never be stored on mobile device or should only reside on the secured production server.

As a small biz do you know what will happen to me if client knew that I was walking around with a DB backup including clients' CC (of course itís a figure of speech)

Brett_Tabke




msg:276295
 1:56 pm on Jun 3, 2006 (gmt 0)

those wanting to talk about other hotels.com issues (like affiliate programs) - please grab another thread...

amznVibe




msg:276296
 3:23 pm on Jun 3, 2006 (gmt 0)

Wanna bet by "password protected" they mean the windows login? LoL.
Yes, they deserve to be sued. No company should store credit card info server side.
You should see how many store the "magic three" numbers too.

oneguy




msg:276297
 3:46 pm on Jun 3, 2006 (gmt 0)

Wanna bet by "password protected" they mean the windows login? LoL.

That's what I figured, since they didn't say "encrypted." But, then, maybe they were just writing to the average person with a credit card.

BillyS




msg:276298
 7:46 pm on Jun 3, 2006 (gmt 0)

>>The big accounting companies *repeatedly* do this, while other parts of their business profitably spout off about security measures.

This comment is right on. These are the same Bozos that charges Fortune 500 companies a million dollars to tell them how to protect this very information.

I smell a class action law suit. Imagine the workload this is going to create for credit card companies.

twinsrul




msg:276299
 10:37 pm on Jun 3, 2006 (gmt 0)

Once the credit cards have been billed successfully, why then keep the numbers? For identification purposes, I can understand the argument for keeping the last 4 digits of a credit card number, but all 16 numbers? Regardless of the encryption and password protection methods in place, keeping sensitive data needlessly is just asking for trouble. These companies need to be sued - period.

DamonHD




msg:276300
 12:32 pm on Jun 4, 2006 (gmt 0)

Hi,

Further: you are absolutely forbidden by VISA (and I assume the other schemes too) from keeping the 3-digit CVV security code AT ALL for EXACTLY this reason.

(If hotels.com or E&Y had this info then they would be in for one helluva ticking off or fine.)

Rgds

Damon

wheel




msg:276301
 1:08 am on Jun 5, 2006 (gmt 0)

Hotels.com got lazy by just handing over the entire database.

The proper way to do this is to either delete the personal information or munge it before handing it over to auditors. If the auditors need personal info, it's provided on a case by case basis - not on a wholesale basis.

That's what's properly and normally done, and what hotels.com didn't do. The auditor screwed up, but it's hotel.com's fault for not being diligent. IMO of course :).

jimbeetle




msg:276302
 3:26 am on Jun 5, 2006 (gmt 0)

That's what's properly and normally done, and what hotels.com didn't do

Is there actually an accepted protocol here? It does sound like there should be. If there is and it was violated...whew!...this will be very, very messy.

arnarn




msg:276303
 3:32 am on Jun 5, 2006 (gmt 0)

This is soooo interesting! We just received a "Dear Valued Merchant" letter from our bank (a biggie.. WF).

They go on to explain the Payment Card Instustry Data Security Standards and how small merchants MUST COMPLY!

They state in their communication:

"If cardholder data for which you are responsible for is compromised, you may be subject to the following liabilities and fines associated with EACH instance of non-compliance:

* Potential fines of up to $500,000 (in the discrection of V and MC)
* All fraud losses incurred from the use of the compromised account numbers from the date of compromise going forward.
* The cost of re-issuing all cards associated with the compromise
* The cost of any additional fraud prevention
/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraud activity)."

Does anyone think HOTELS.COM / Ernst & Young will be held to the same standard that the little guy is threatened with? Now let's see, what's $500,000 * 243,000?

walkman




msg:276304
 3:59 am on Jun 5, 2006 (gmt 0)

>> Does anyone think HOTELS.COM / Ernst & Young will be held to the same standard that the little guy is threatened with? Now let's see, what's $500,000 * 243,000?

they'd gladly pay 5X that amount if they could just undo this. This is much more serious as it has gotten lots of press and now Hotels.com will defintely lose a lot of the existing customers (whose cards will have to be replaced and they will have to worry about identity theft). New customers will also think hard now since now there is an added issue of trust, and they are plenty of alternatives to hotels.com. It's risky out there. Is encryption easy to do on laptops?

zoltan




msg:276305
 5:44 am on Jun 5, 2006 (gmt 0)

I doubt they would gladly pay $121 billion...

le_gber




msg:276306
 8:29 am on Jun 5, 2006 (gmt 0)

[bad joke]

I thought it was a bit strange that a laptop was going for $125 Millions on ebay

[/bad joke]

vincevincevince




msg:276307
 9:15 am on Jun 5, 2006 (gmt 0)

If there's a one in ten-thousand chance of you messing up an account you handle in a given year (i.e. in ten thousand years you can expect to screw up once), then your probability of messing up can be written 0.01%.

If your firm handles 100 such accounts you have 0.995% - less than 1%...

With 10,000 accounts the probability of messing up is 63.21%

If you have 100,000 accounts the probability is... 99.995%.

Considering the size of Ernst & Young - is it surprising that they make the odd mistake?

For those who will carefully check my figures (I know you're out there) I calculated it the chance of not screwing up in any account, i.e. 99.99%^(accounts)=chance of not screwing up -> 100-99.99%^(accounts)=chance of screwing up

ashear




msg:276308
 10:45 am on Jun 5, 2006 (gmt 0)

I can't get over the neglect of some people. I am sure that employee would have been upset if his employeer lost his or hers pay check.

But to loose a laptop with a list of a quarter of a million clients credit card numbers.

oneguy




msg:276309
 11:58 am on Jun 5, 2006 (gmt 0)

This theft occurred in 2006 February.

...Ernst & Young only recently was able to determine what was on the computer's hard drive.

What, the thieves got away with the employee's voice, too?

No kidding. They probably spent as much time as they could trying to find the laptop, then as much time as they could stalling some more. "Uhhh, it's taking a little extra time to complete the audit."

walkman




msg:276310
 1:19 pm on Jun 5, 2006 (gmt 0)


>> I doubt they would gladly pay $121 billion...
My bad. Didn't read carefully enough to see that the amount was for each violation.

PeteM




msg:276311
 2:46 pm on Jun 5, 2006 (gmt 0)

Be interested to know if the CV2's (the security code on the signature strip) were on the database.

Pete

This 40 message thread spans 2 pages: 40 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Local / Foo
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved