Readers amazed by Ernst & Young's laptop giveaway

Your data is exposed password protected

Remote control for virtualized desktops

Last month, Ernst and Young lost five laptops (that we know about). The accounting firm didn't really hold itself accountable for the missing hardware. It only copped to the losses after being contacted by reporters and downplayed the situations, saying password protection would keep customers information safe.

The mainstream press completely ignored Ernst and Young's follies, despite Sun Microsystems CEO Scott McNealy having his social security number exposed in one of the incidents. You guys, however, didn't treat the missing gear so lightly.

I read your Ernst & Young story regarding the stolen laptop and was amazed by their quote,

"The security and confidentiality of our client information is of critical importance to us. The computer was password-protected.."

Oh, that'll be fine then. I'm sure the data is safe! Saying that the "security and confidentiality of our client information is of critical importance" and that the "computer was password protected" don't seem to go hand in hand do they?!


I used to work for Ernst & Young in Canada and they routinely lost laptops via careless auditors and via theft. So this news is not suprising. What is very interesting however, is that in my days working for their Technology and Security Risk Service line we were contracted by a client to do tests on, you guessed it, the security of a laptop after if is stolen.

We demonstrated to the client how a simple windows password and in some cases even a simple bios password could be easily bypassed by someone with moderate skill.

So for EY to say that the laptop with the social security numbers is safe because it had a password is not only hypocritical of them but also completely false. It has been a few years since I worked at EY but I am pretty sure that they are not using any type of disk encryption so the data on these stolen is definately vulnerable.

Quoting from their web site:

"Companies don't get second chances today. Time is of the essence—and your competitors are just a click away. Everyone you do business with needs to know that your business systems are secure, reliable, available and properly controlled. "

Perhaps they should be looking at the work they have done for others and practicing what they preach.


I do love the way the Big 4 accountancy firms look down on smaller practices. At the charge out rates E&Y use, it wouldn't cost more than ooooh about £3,000 of chargeable time to work out that whilst onsite you should always ensure one member of staff is left behind with the audit files and computers, if a two office practice like mine has thought of it, surely it's not beyond the ken of a large multinational.

So much for the thought E&Y like to have that they have the "best of the best" when it comes to staff eh?

Alex Walsh

Possibly the reason they didn't disclose this was that if the thief didn't know what they'd stolen, they'd be unlikely to use it. Except now that it has been reported, they might put 2 and 2 together and realise they have something worth a lot more than they thought...

Dan Moss

Hi Ashlee

I think a lot of UK/European readers won't get why the social security number thing is such a big deal. If memory serves some genius back in the early days of US IT decided that, rather than give everybody their own customer number, they'd just use the guaranteed unique SS number. This soon became common practice.

So, it's not that McNealy's SS number is compromised particularly, more that a knowedgeable hacker can use this number when they break into other systems to find out things about him and also pretend to be him and commit fraud.

In the UK I don't think most of us would give a toss if someone knew our NI number because it isn't plastered all over our credit card vendor's internal systems. I do wonder if this will change if the UK government manage to get their crackpot id card scheme off the ground, will this number then start mattering because it will be plastered everywhere like it is in the US? Then the hackers will find committing fraud (sorry, "identity theft") much easier. I bet no-one's thought about it at all.


Francis Fish

These big firms only hire squints, nerds and yes men.

They have a lot bigger problems than nicked lap tops.

i.e.: The top dogs are greedy unprincipled members of privately regulated system that went out of control about 20 years ago! Where once these firms represented integrity; now they focus on profits threw unprincipled creativity.

Like using European sewers as tax dodges for Coca Cola in the US, and signing off on cockamamy accounting practices like the spot trading ruling for Enron.

I'd be looking at the E&Y managers more than an outside criminal!

Brian Donofrio

Not exactly 'high profile' if nobody knows about it is it?

Sounds more of a 'low profile' loss to me. Or at least that's how they'd like to keep it.

Colin Jones

Yet another story of another company failing to protect sensitive and confidential customer/client information. One begins to wonder if there will ever be any legal consequences sever enough to prevent such occurrences. I don't think it unwarranted that some more substantial penalties, perhaps mandatory fines of the very large variety, be implemented to reinforce for companies of all sizes the need to protect sensitive customer information from theft or loss at all costs.

Cheers, Robert Rose

Hey, if you'd just ask the BOFH he'd tell you that beancounters think that if they have a password on their windows user account, the data on their laptop is 100% safe. How could the poor bastards even dream that the OS could be loaded from another device (HDD, CD, DVD) and their harddisk read with ease ?! I mean, if they don't/can't do it, it means nobody else can, right ? On the other hand why even bother loading the OS from another device when the passwords usually are something like "username123" ....


Just a thought on the E&Y security issue... I know from personal experience that at least 50% of the "Big Four" firms use disk encryption at (presumably) the BIOS level on all laptops - the first thing you get on boot is the password prompt to decrypt the disk enough to continue the boot sequence. Just don't try running Partition Magic on such a machine...

Martin Richards

Always nice to end on a positive. ®

Internet Security Threat Report 2014

More from The Register

next story
Holy vintage vehicles! Earliest known official Batmobile goes on sale
Riddle me this: are you prepared to pay US$180k?
Criticism of Uber's journo-Data Analytics plan is an Attack on DIGITAL FREEDOM
First they came for Emil – and I'm damn well SPEAKING OUT
'Open source just means big companies can steal your code.' O RLY?
Plus: Flame of the Week returns, for one night only!
'It is comforting to know where your data centres are.' UK.GOV does NOT
Plus: Anons are 'wannabes', KKK says, before being pwned
NEWSFLASH: It's time to ditch dullard Facebook chums
Everything hot in tech, courtesy of avian anchor Regina Eggbert
Hey, you, PHONE-FACE! Kickstarter in-car mobe mount will EMBED your phone into your MUG
Stick it on the steering wheel and wait for the airbag to fire
Bible THUMP: Good Book beats Darwin to most influential tome title
Folio Society crowns fittest of surviving volumes
U wot? Silicon Roundabout set to become Silicon U-BEND
Crap-spouting London upstarts to get permanent road closure
prev story


Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.