The names and credit-card numbers of 243,000 Hotels.com customers were on a laptop computer stolen from an employee of accounting firm Ernst & Young, according to sources familiar with the matter.

Now why would an employee be carrying that type of information on their laptop? And if there was a reason, why wasn't that laptop handcuffed to their wrist? ;)

they are their auditors I assume, but still, why the credit cards? Unless they need them to reconcile or some other accounting thing. Either way, you can ruin a business this way.

Hi,

The big accounting companies *repeatedly* do this, while other parts of their business profitably spout off about security measures.

For once I'm entirely in favour of a litigious US citizen suing the fear of Arthur Anderson into them for being so negligent with other people's IDs and lives.

Rgds

Damon

They were auditing the books of Hotels.com. That meant having the oracle db available. The cc numbers were stored in the db along with the rest of the sales/customer information.

I am stunned that ernst and young decided to report this at all. 99% of these cases the public never hears about. Which leads me to wonder if there is more to this story than is being told.

The cc numbers were stored in the db along with the rest of the sales/customer information.

Would I be correct in assuming that the data on that laptop should have been treated as if it were cash on an armored truck? How or why would someone transport data in that manner without security, etc.?

This theft occurred in 2006 February.

Average thief will probably sell it for $200 anyway--unless they see what's in there.

And now that the story's been plastered all over, it's less likely it will get cheaply sold and more likely the laptop will fall into the hands of hackers who will easily get all the numbers.

Brett,
I think CA has laws that mandate some type of notification, and it's safe to say that at least one California resident used Hotels.com.

...Ernst & Young only recently was able to determine what was on the computer's hard drive.

What, the thieves got away with the employee's voice, too?

I think CA has laws that mandate some type of notification, and it's safe to say that at least one California resident used Hotels.com.

I believe that companies that are established in California need to notify the customers. Not the actual people residing in California. If the other way was true, we would be hearing alot more about identity theft if it was based on where the victims lived instead of where the company is located for disclosure purposes.

>> need to notify the customers. Not the actual people residing in California

better to issue a press release, at least you can sugarcoat it a bit. Once CA residents get those notices, don't you think the national media will find out right away?

Another one:
"Medicare beneficiary data left in hotel"
An auditor for the Department of Health and Human Services' inspector general came across the information a few weeks later when using the same hotel computer in Baltimore, Medicare officials disclosed Friday."

"The Medicare incident comes just a month after the theft of a computer containing personal information about 26.5 million veterans."
[news.yahoo.com...]

Anyone seeing an opportunity to start a new business here?

As soon as I heard about it, even before reading through the thread I was thinking that it should be a law stating that CC should never be stored on mobile device or should only reside on the secured production server.

As a small biz do you know what will happen to me if client knew that I was walking around with a DB backup including clients' CC (of course it’s a figure of speech)

those wanting to talk about other hotels.com issues (like affiliate programs) - please grab another thread...

Wanna bet by "password protected" they mean the windows login? LoL.
Yes, they deserve to be sued. No company should store credit card info server side.
You should see how many store the "magic three" numbers too.

Wanna bet by "password protected" they mean the windows login? LoL.

That's what I figured, since they didn't say "encrypted." But, then, maybe they were just writing to the average person with a credit card.

>>The big accounting companies *repeatedly* do this, while other parts of their business profitably spout off about security measures.

This comment is right on. These are the same Bozos that charges Fortune 500 companies a million dollars to tell them how to protect this very information.

I smell a class action law suit. Imagine the workload this is going to create for credit card companies.

Once the credit cards have been billed successfully, why then keep the numbers? For identification purposes, I can understand the argument for keeping the last 4 digits of a credit card number, but all 16 numbers? Regardless of the encryption and password protection methods in place, keeping sensitive data needlessly is just asking for trouble. These companies need to be sued - period.

Hi,

Further: you are absolutely forbidden by VISA (and I assume the other schemes too) from keeping the 3-digit CVV security code AT ALL for EXACTLY this reason.

(If hotels.com or E&Y had this info then they would be in for one helluva ticking off or fine.)

Rgds

Damon

Hotels.com got lazy by just handing over the entire database.

The proper way to do this is to either delete the personal information or munge it before handing it over to auditors. If the auditors need personal info, it's provided on a case by case basis - not on a wholesale basis.

That's what's properly and normally done, and what hotels.com didn't do. The auditor screwed up, but it's hotel.com's fault for not being diligent. IMO of course :).

That's what's properly and normally done, and what hotels.com didn't do

Is there actually an accepted protocol here? It does sound like there should be. If there is and it was violated...whew!...this will be very, very messy.

This is soooo interesting! We just received a "Dear Valued Merchant" letter from our bank (a biggie.. WF).

They go on to explain the Payment Card Instustry Data Security Standards and how small merchants MUST COMPLY!

They state in their communication:

"If cardholder data for which you are responsible for is compromised, you may be subject to the following liabilities and fines associated with EACH instance of non-compliance:

* Potential fines of up to $500,000 (in the discrection of V and MC)
* All fraud losses incurred from the use of the compromised account numbers from the date of compromise going forward.
* The cost of re-issuing all cards associated with the compromise
* The cost of any additional fraud prevention
/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraud activity)."

Does anyone think HOTELS.COM / Ernst & Young will be held to the same standard that the little guy is threatened with? Now let's see, what's $500,000 * 243,000?

>> Does anyone think HOTELS.COM / Ernst & Young will be held to the same standard that the little guy is threatened with? Now let's see, what's $500,000 * 243,000?

they'd gladly pay 5X that amount if they could just undo this. This is much more serious as it has gotten lots of press and now Hotels.com will defintely lose a lot of the existing customers (whose cards will have to be replaced and they will have to worry about identity theft). New customers will also think hard now since now there is an added issue of trust, and they are plenty of alternatives to hotels.com. It's risky out there. Is encryption easy to do on laptops?

I doubt they would gladly pay $121 billion...

[bad joke]

I thought it was a bit strange that a laptop was going for $125 Millions on ebay

[/bad joke]

If there's a one in ten-thousand chance of you messing up an account you handle in a given year (i.e. in ten thousand years you can expect to screw up once), then your probability of messing up can be written 0.01%.

If your firm handles 100 such accounts you have 0.995% - less than 1%...

With 10,000 accounts the probability of messing up is 63.21%

If you have 100,000 accounts the probability is... 99.995%.

Considering the size of Ernst & Young - is it surprising that they make the odd mistake?

For those who will carefully check my figures (I know you're out there) I calculated it the chance of not screwing up in any account, i.e. 99.99%^(accounts)=chance of not screwing up -> 100-99.99%^(accounts)=chance of screwing up

I can't get over the neglect of some people. I am sure that employee would have been upset if his employeer lost his or hers pay check.

But to loose a laptop with a list of a quarter of a million clients credit card numbers.

This theft occurred in 2006 February.

...Ernst & Young only recently was able to determine what was on the computer's hard drive.

What, the thieves got away with the employee's voice, too?

No kidding. They probably spent as much time as they could trying to find the laptop, then as much time as they could stalling some more. "Uhhh, it's taking a little extra time to complete the audit."

>> I doubt they would gladly pay $121 billion...
My bad. Didn't read carefully enough to see that the amount was for each violation.

Be interested to know if the CV2's (the security code on the signature strip) were on the database.

Pete