Welcome to WebmasterWorld Guest from 126.96.36.199
these companies need to sued for a lot of money before they use encryptions and other secure methods. Average thief will probably sell it for $200 anyway--unless they see what's in there.
The names and credit-card numbers of 243,000 Hotels.com customers were on a laptop computer stolen from an employee of accounting firm Ernst & Young, according to sources familiar with the matter.
Now why would an employee be carrying that type of information on their laptop? And if there was a reason, why wasn't that laptop handcuffed to their wrist? ;)
The big accounting companies *repeatedly* do this, while other parts of their business profitably spout off about security measures.
For once I'm entirely in favour of a litigious US citizen suing the fear of Arthur Anderson into them for being so negligent with other people's IDs and lives.
I am stunned that ernst and young decided to report this at all. 99% of these cases the public never hears about. Which leads me to wonder if there is more to this story than is being told.
The cc numbers were stored in the db along with the rest of the sales/customer information.
Would I be correct in assuming that the data on that laptop should have been treated as if it were cash on an armored truck? How or why would someone transport data in that manner without security, etc.?
This theft occurred in 2006 February.
I think CA has laws that mandate some type of notification, and it's safe to say that at least one California resident used Hotels.com.
"The Medicare incident comes just a month after the theft of a computer containing personal information about 26.5 million veterans."
Anyone seeing an opportunity to start a new business here?
As a small biz do you know what will happen to me if client knew that I was walking around with a DB backup including clients' CC (of course itís a figure of speech)
This comment is right on. These are the same Bozos that charges Fortune 500 companies a million dollars to tell them how to protect this very information.
I smell a class action law suit. Imagine the workload this is going to create for credit card companies.
The proper way to do this is to either delete the personal information or munge it before handing it over to auditors. If the auditors need personal info, it's provided on a case by case basis - not on a wholesale basis.
That's what's properly and normally done, and what hotels.com didn't do. The auditor screwed up, but it's hotel.com's fault for not being diligent. IMO of course :).
They go on to explain the Payment Card Instustry Data Security Standards and how small merchants MUST COMPLY!
They state in their communication:
"If cardholder data for which you are responsible for is compromised, you may be subject to the following liabilities and fines associated with EACH instance of non-compliance:
* Potential fines of up to $500,000 (in the discrection of V and MC)
* All fraud losses incurred from the use of the compromised account numbers from the date of compromise going forward.
* The cost of re-issuing all cards associated with the compromise
* The cost of any additional fraud prevention
/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraud activity)."
Does anyone think HOTELS.COM / Ernst & Young will be held to the same standard that the little guy is threatened with? Now let's see, what's $500,000 * 243,000?
they'd gladly pay 5X that amount if they could just undo this. This is much more serious as it has gotten lots of press and now Hotels.com will defintely lose a lot of the existing customers (whose cards will have to be replaced and they will have to worry about identity theft). New customers will also think hard now since now there is an added issue of trust, and they are plenty of alternatives to hotels.com. It's risky out there. Is encryption easy to do on laptops?
If your firm handles 100 such accounts you have 0.995% - less than 1%...
With 10,000 accounts the probability of messing up is 63.21%
If you have 100,000 accounts the probability is... 99.995%.
Considering the size of Ernst & Young - is it surprising that they make the odd mistake?
For those who will carefully check my figures (I know you're out there) I calculated it the chance of not screwing up in any account, i.e. 99.99%^(accounts)=chance of not screwing up -> 100-99.99%^(accounts)=chance of screwing up
This theft occurred in 2006 February.
...Ernst & Young only recently was able to determine what was on the computer's hard drive.
What, the thieves got away with the employee's voice, too?
No kidding. They probably spent as much time as they could trying to find the laptop, then as much time as they could stalling some more. "Uhhh, it's taking a little extra time to complete the audit."