Feeds

Readers amazed by Ernst & Young's laptop giveaway

Your data is exposed password protected

Secure remote control for conventional and virtual desktops

Last month, Ernst and Young lost five laptops (that we know about). The accounting firm didn't really hold itself accountable for the missing hardware. It only copped to the losses after being contacted by reporters and downplayed the situations, saying password protection would keep customers information safe.

The mainstream press completely ignored Ernst and Young's follies, despite Sun Microsystems CEO Scott McNealy having his social security number exposed in one of the incidents. You guys, however, didn't treat the missing gear so lightly.

I read your Ernst & Young story regarding the stolen laptop and was amazed by their quote,

"The security and confidentiality of our client information is of critical importance to us. The computer was password-protected.."

Oh, that'll be fine then. I'm sure the data is safe! Saying that the "security and confidentiality of our client information is of critical importance" and that the "computer was password protected" don't seem to go hand in hand do they?!

Iain


I used to work for Ernst & Young in Canada and they routinely lost laptops via careless auditors and via theft. So this news is not suprising. What is very interesting however, is that in my days working for their Technology and Security Risk Service line we were contracted by a client to do tests on, you guessed it, the security of a laptop after if is stolen.

We demonstrated to the client how a simple windows password and in some cases even a simple bios password could be easily bypassed by someone with moderate skill.

So for EY to say that the laptop with the social security numbers is safe because it had a password is not only hypocritical of them but also completely false. It has been a few years since I worked at EY but I am pretty sure that they are not using any type of disk encryption so the data on these stolen is definately vulnerable.

Quoting from their web site:

"Companies don't get second chances today. Time is of the essence—and your competitors are just a click away. Everyone you do business with needs to know that your business systems are secure, reliable, available and properly controlled. "

Perhaps they should be looking at the work they have done for others and practicing what they preach.

Steve


I do love the way the Big 4 accountancy firms look down on smaller practices. At the charge out rates E&Y use, it wouldn't cost more than ooooh about £3,000 of chargeable time to work out that whilst onsite you should always ensure one member of staff is left behind with the audit files and computers, if a two office practice like mine has thought of it, surely it's not beyond the ken of a large multinational.

So much for the thought E&Y like to have that they have the "best of the best" when it comes to staff eh?

Alex Walsh


Possibly the reason they didn't disclose this was that if the thief didn't know what they'd stolen, they'd be unlikely to use it. Except now that it has been reported, they might put 2 and 2 together and realise they have something worth a lot more than they thought...

Dan Moss


Hi Ashlee

I think a lot of UK/European readers won't get why the social security number thing is such a big deal. If memory serves some genius back in the early days of US IT decided that, rather than give everybody their own customer number, they'd just use the guaranteed unique SS number. This soon became common practice.

So, it's not that McNealy's SS number is compromised particularly, more that a knowedgeable hacker can use this number when they break into other systems to find out things about him and also pretend to be him and commit fraud.

In the UK I don't think most of us would give a toss if someone knew our NI number because it isn't plastered all over our credit card vendor's internal systems. I do wonder if this will change if the UK government manage to get their crackpot id card scheme off the ground, will this number then start mattering because it will be plastered everywhere like it is in the US? Then the hackers will find committing fraud (sorry, "identity theft") much easier. I bet no-one's thought about it at all.

Regards,

Francis Fish


These big firms only hire squints, nerds and yes men.

They have a lot bigger problems than nicked lap tops.

i.e.: The top dogs are greedy unprincipled members of privately regulated system that went out of control about 20 years ago! Where once these firms represented integrity; now they focus on profits threw unprincipled creativity.

Like using European sewers as tax dodges for Coca Cola in the US, and signing off on cockamamy accounting practices like the spot trading ruling for Enron.

I'd be looking at the E&Y managers more than an outside criminal!

Brian Donofrio


Not exactly 'high profile' if nobody knows about it is it?

Sounds more of a 'low profile' loss to me. Or at least that's how they'd like to keep it.

Colin Jones


Yet another story of another company failing to protect sensitive and confidential customer/client information. One begins to wonder if there will ever be any legal consequences sever enough to prevent such occurrences. I don't think it unwarranted that some more substantial penalties, perhaps mandatory fines of the very large variety, be implemented to reinforce for companies of all sizes the need to protect sensitive customer information from theft or loss at all costs.

Cheers, Robert Rose


Hey, if you'd just ask the BOFH he'd tell you that beancounters think that if they have a password on their windows user account, the data on their laptop is 100% safe. How could the poor bastards even dream that the OS could be loaded from another device (HDD, CD, DVD) and their harddisk read with ease ?! I mean, if they don't/can't do it, it means nobody else can, right ? On the other hand why even bother loading the OS from another device when the passwords usually are something like "username123" ....

Caseta


Just a thought on the E&Y security issue... I know from personal experience that at least 50% of the "Big Four" firms use disk encryption at (presumably) the BIOS level on all laptops - the first thing you get on boot is the password prompt to decrypt the disk enough to continue the boot sequence. Just don't try running Partition Magic on such a machine...

Martin Richards

Always nice to end on a positive. ®

Security for virtualized datacentres

More from The Register

next story
Facebook's Zuckerberg in EBOLA VIRUS FIGHT: Billionaire battles bug
US Centers for Disease Control and Prevention contacted as site supremo coughs up
Space exploration is just so lame. NEW APPS are mankind's future
We feel obliged to point out the headline statement is total, utter cobblers
Down-under record: Australian gets $140k for pussy
'Tiffany' closes deal - 'it's more common to offer your wife', says agent
Internet finally ready to replace answering machine cassette tape
It's a simple message and I'm leaving out the whistles and bells
Win a year’s supply of chocolate (no tech knowledge required)
Over £200 worth of the good stuff up for grabs
Swiss wildlife park serves up furry residents to visitors
'It's ecological' says spokesman, now how would you like your Bambi done?
The iPAD launch BEFORE it happened: SPECULATIVE GUFF ahead of actual event
Nerve-shattering run-up to the pre-planned known event
STONER SHEEP get the MUNCHIES after feasting on £4k worth of cannabis plants
Baaaaaa! Fanny's Farm's woolly flock is high, maaaaaan
FedEx helps deliver THOUSANDS of spam messages DIRECT to its Blighty customers
Don't worry Wilson, I'll do all the paddling. You just hang on
Red Bull does NOT give you wings, $13.5m lawsuit says so
Website letting consumers claim $10 cash back crashes after stampede
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.