Dear hotels.com customer
 

[This came in the mail today:]

Recently, Hotels.com was informed by its outside auditor, Ernst & Young, that one of Ernst & Young's employees had his laptop computer stolen. [Gosh, that's too bad. I hope it was insured.]

Unfortunately, the computer contained certain information about customer transactions with Hotels.com, and other sites througn which we provide booking services directly to customers, from 2002 to 2004. [Well, that's what auditors look at, isn't it? Dollars, room-nights, yields...that sort of thing. Fortunately, it's all backed up in the original mainframe files. Isn't it?]

This information may have included your name, address and some credit or debit card information you provided at that time. [WHAT? What the bloody eff was an E&Y employee doing prancing around with a laptop loaded with personal and credit card data? Don't you featherheads know that laptops are lost or stolen in the thousands every day? What kind of morons are in charge of security policy at one of the world's largest auditing firms? You don't have to answer, because I already know. The frigging kind.]

[From Ernst & Young comes this gem in the same envelope:]

The laptop required a password to use it. [Are you <i>kidding</i>? Give it to my 14 year-old, and he'll have your data ready for sale in a little under three minutes.] The relevant file was stored in a subdirectory several levels below the computer's main directory, and the file's name gave no indication of its contents. [NOW I know why the above-referenced employee was carrying around credit card files. <i>Because Ernst &amp; Young are totally incompetent insofar as computer security is concerned.</i> If your best and brightest think that &quot;security by obscurity&quot; has the <u>remotest</u> chance of stopping fraud, you aren't qualified to audit the receipts of a lemonade stand. &quot;No indication of its contents.&quot; Gimmie a freakin' break! You think criminals don't have access to software that will scan a hard drive using the Luhn ABA checksum algorithm to locate credit card numbers? Where did you get your security credentials from, anyway? A cereal box?]

We sincerely apologize for this unfortunate incident and have instituted enhanced security procedures to encrypt all of our laptop computers [have you used all the hacking tools available on the internet to test your encryption?] to provide additional protection for sensitive information... [How many managers have you canned? What are the credentials of their replacements? Why should anyone believe you know what you're doing, ever, ever again?]

I just don't worry about this sort of things any more (tired of doing so). You worry during your 1st flight, after that, you give up - it is all fate. 3 of my charge cards went through a multiple of ubnauthorized charges. In one case, someone ordered Traveller's checks (that is cash) from a CA bank via a phone call and got them delivered through Fedex! I didn't lose any money, but, sadly, nothing happened to the crooks. I even identified the lady who was doing some of it in Dalls area, and the cops knew about her, but guess what, even they are worried about getting sued. Since I didn't lose any money, &quot;we can't do a thing about it.&quot; Long live the crooks and criminals!

It <b>could</b> easily have been much worse such as the recent theft of information from a US Government employee who had taken computer files home and it <b>included</b> social security numbers of thousands of veterans.

Perhaps you should get a job with Hotels.com and fix all this forever.

It wasn't hotels.com, it was Ernst &amp; Young that screwed up. But neither one can afford me anyway.

It never stops does it? Wells Fargo has had their independant contractors laptops stolen that had thousands of their clients information on the laptops (clients that have mortgages with Wells Fargo), yes recently our US Veterans etc and on and on. But meanwhile we are reminded constantly to shred every scrap of paper with any personal information on it (which I do) but it kind of makes me laugh. As though our shredding our personal papers takes care of avoiding ID theft. NOT! Thanks for posting Robespierre, wonder if I will receive a letter too.

You're right about the companies - never mind the police - not caring who is doing the thefts. Someone got my AMEX info several years ago and within a couple of hours had charged 12 tickets to the Dominican Republic for the next day and a bunch of stuff from various stores delivered to an address in the Bronx.

One of the stores called me to say they couldn't deliver and I called AMEX with the info - including the name and address of the person charging.

They said they don;t even bother to pursue - just cancel all charges with the airlines and stores (on the basis merchants let the stuff be charged without ID and AMEX approval). So I didn't lose - and got a new card by FedEx 2 days later. And AMEX doesn't lose. The merchants have to absorb it - and all of our prices go up.

I think most all of the time laptops are stolen, it is for the hardware, not the contents. There aren't enough details in that notice to say, but I think that's the case. I think the employee is clearly at fault if he or she was negligent or left it sitting around a cafe, but there is nothing wrong per se with having information on a laptop. That's called work. All of the people in my firm have laptops as their regular computers, they couldn't work without them. Few organizations have mainframes any more, if that's what you are suggesting. A laptop can be stolen from anywhere.

Several people in my office had their laptops stolen at night from their actual office, so this can happen whether someone carries the laptop elsewhere or not. They finally traced it to the cleaning staff, of course, who have keys to a lot of areas and come in at night when no one was there. It was some accomplice of the cleaning staff. They did change some security measures at that point, and I thought they were idiotic to allow it to happen in the first place. It didn't happen to me because I don't leave my office door unlocked. I'll admit I don't have a laptop, either, only desktop PCs because I don't want to carry work around with me, but a lot of people do have laptops in their regular docking stations. They do have to allow cleaning staff to clean, unfortunately, and they could always get into the main suit area, but now those folks keep their office doors locked and the cleaning staff doesn't have keys to them.

Of course, anyone who really really wanted to steal them could as our office building, as most, just has sort of prefab walls and removeable ceiling tiles on a frame that could easily be removed. YOu could probably punch your fist through the wall fairly easily. As well as pick the locks if you knew how.

So, I think people do have to be a little more savvy about these things, but someone can't be blamed if a thief just broke into their house and stole a laptop there, but the same thing can happen in an office or other places. Really, most thieves of laptops aren't looking for the data and wouldn't know how to access it or use it if they did.

Wow... that's pretty shocking. Why on earth would someone have customer data on any HD, much less one that moves. VPN for cryin' out loud. Auditing transplanted soft copy kind of negates the results anyway. Doesn't E&amp;Y even have a security audit division? At least I think they used to.

Well just thank goodness they dont give up to date information to thier accountants.

Verrry interrrresting, Robe.

One wonders why a person who would never let a briefcase containing important papers out of his sight has no difficulty losing lots of information on a hard drive. :)

((I))

&quot;The laptop in question was in a backpack that was stolen from the locked vehicle of an Ernst &amp; Young employee.&quot; [Yeah - like that's never happened before.]

Advice to anyone who assumes a cavalier stance with regard to storing critical data on computers (<i>especially</i> portable ones): if losing the data can cost customers money, encrypt it with long, strong keys. Even Microsoft EFS is better than nothing, but there are aftermarket solutions that are even better.

I don't imagine Hotels.com will be renewing their contract with E &amp; Y. D'ya think?

<i>p.s.</i> Microsoft password security is a joke. I have a boot CD with a Linux app on it that can remove the Administrator password from any MS Operating System in seconds. If you think your data is safe because your password is random gobbledygook, you are living in a fools's paradise.

As far as I know, Encrypting File System has not been hacked <i>if the keys and recovery agents are kept on a separate medium</i>. But I'm not a Russian IT genius with time on his hands and no money, either.