Readers amazed by Ernst & Young's laptop giveaway

Your data is exposed password protected

The Power of One Brief: Top reasons to choose HP BladeSystem

Last month, Ernst and Young lost five laptops (that we know about). The accounting firm didn't really hold itself accountable for the missing hardware. It only copped to the losses after being contacted by reporters and downplayed the situations, saying password protection would keep customers information safe.

The mainstream press completely ignored Ernst and Young's follies, despite Sun Microsystems CEO Scott McNealy having his social security number exposed in one of the incidents. You guys, however, didn't treat the missing gear so lightly.

I read your Ernst & Young story regarding the stolen laptop and was amazed by their quote,

"The security and confidentiality of our client information is of critical importance to us. The computer was password-protected.."

Oh, that'll be fine then. I'm sure the data is safe! Saying that the "security and confidentiality of our client information is of critical importance" and that the "computer was password protected" don't seem to go hand in hand do they?!


I used to work for Ernst & Young in Canada and they routinely lost laptops via careless auditors and via theft. So this news is not suprising. What is very interesting however, is that in my days working for their Technology and Security Risk Service line we were contracted by a client to do tests on, you guessed it, the security of a laptop after if is stolen.

We demonstrated to the client how a simple windows password and in some cases even a simple bios password could be easily bypassed by someone with moderate skill.

So for EY to say that the laptop with the social security numbers is safe because it had a password is not only hypocritical of them but also completely false. It has been a few years since I worked at EY but I am pretty sure that they are not using any type of disk encryption so the data on these stolen is definately vulnerable.

Quoting from their web site:

"Companies don't get second chances today. Time is of the essence—and your competitors are just a click away. Everyone you do business with needs to know that your business systems are secure, reliable, available and properly controlled. "

Perhaps they should be looking at the work they have done for others and practicing what they preach.


I do love the way the Big 4 accountancy firms look down on smaller practices. At the charge out rates E&Y use, it wouldn't cost more than ooooh about £3,000 of chargeable time to work out that whilst onsite you should always ensure one member of staff is left behind with the audit files and computers, if a two office practice like mine has thought of it, surely it's not beyond the ken of a large multinational.

So much for the thought E&Y like to have that they have the "best of the best" when it comes to staff eh?

Alex Walsh

Possibly the reason they didn't disclose this was that if the thief didn't know what they'd stolen, they'd be unlikely to use it. Except now that it has been reported, they might put 2 and 2 together and realise they have something worth a lot more than they thought...

Dan Moss

Hi Ashlee

I think a lot of UK/European readers won't get why the social security number thing is such a big deal. If memory serves some genius back in the early days of US IT decided that, rather than give everybody their own customer number, they'd just use the guaranteed unique SS number. This soon became common practice.

So, it's not that McNealy's SS number is compromised particularly, more that a knowedgeable hacker can use this number when they break into other systems to find out things about him and also pretend to be him and commit fraud.

In the UK I don't think most of us would give a toss if someone knew our NI number because it isn't plastered all over our credit card vendor's internal systems. I do wonder if this will change if the UK government manage to get their crackpot id card scheme off the ground, will this number then start mattering because it will be plastered everywhere like it is in the US? Then the hackers will find committing fraud (sorry, "identity theft") much easier. I bet no-one's thought about it at all.


Francis Fish

These big firms only hire squints, nerds and yes men.

They have a lot bigger problems than nicked lap tops.

i.e.: The top dogs are greedy unprincipled members of privately regulated system that went out of control about 20 years ago! Where once these firms represented integrity; now they focus on profits threw unprincipled creativity.

Like using European sewers as tax dodges for Coca Cola in the US, and signing off on cockamamy accounting practices like the spot trading ruling for Enron.

I'd be looking at the E&Y managers more than an outside criminal!

Brian Donofrio

Not exactly 'high profile' if nobody knows about it is it?

Sounds more of a 'low profile' loss to me. Or at least that's how they'd like to keep it.

Colin Jones

Yet another story of another company failing to protect sensitive and confidential customer/client information. One begins to wonder if there will ever be any legal consequences sever enough to prevent such occurrences. I don't think it unwarranted that some more substantial penalties, perhaps mandatory fines of the very large variety, be implemented to reinforce for companies of all sizes the need to protect sensitive customer information from theft or loss at all costs.

Cheers, Robert Rose

Hey, if you'd just ask the BOFH he'd tell you that beancounters think that if they have a password on their windows user account, the data on their laptop is 100% safe. How could the poor bastards even dream that the OS could be loaded from another device (HDD, CD, DVD) and their harddisk read with ease ?! I mean, if they don't/can't do it, it means nobody else can, right ? On the other hand why even bother loading the OS from another device when the passwords usually are something like "username123" ....


Just a thought on the E&Y security issue... I know from personal experience that at least 50% of the "Big Four" firms use disk encryption at (presumably) the BIOS level on all laptops - the first thing you get on boot is the password prompt to decrypt the disk enough to continue the boot sequence. Just don't try running Partition Magic on such a machine...

Martin Richards

Always nice to end on a positive. ®

Seven Steps to Software Security

More from The Register

next story
NSA man: 'Tell me about your Turkish connections'
Spooks ask Dabbsy to suggest a nice hotel with pool
Carlos: Slim your working week to just three days of toil
'Midas World' vision suggests you retire later, watch more tellie and buy more stuff
Motorist 'thought car had caught fire' as Adele track came on stereo
'FIRE' caption on dashboard prompts dunderheaded hard shoulder halt
Yahoo! Japan! launches! service! for! the! dead!
If you're reading this email, I am no longer alive
Plucky Rockall podule man back on (proper) dry land
Bold, barmy Brit adventurer Nick Hancock escapes North Atlantic islet
In space... no one can hear you're green...
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.