Feeds

Lost Ernst & Young laptop exposes IBM staff

Oops, we did it again

Top three mobile application threats

Exclusive Ernst & Young has lost another laptop containing the social security numbers and other personal information of its clients' employees. This time, the incident puts thousands of IBM workers at risk.

Ex-IBM employees are also affected.

The Register has learned that the laptop was stolen from an Ernst & Young employee's car in January. The employee handled some of the tax functions Ernst & Young does for IBM workers who have been stationed overseas at one time or another during their careers. As a result of the theft, the names, dates of birth, genders, family sizes, SSNs and tax identifiers for IBM employees have been exposed.

The husband of one IBM employee has provided The Register with an exclusive copy of the letter Ernst & Young mailed out to the affected parties. This particular letter did not arrive until 8 March - two months after the theft.

Neither IBM nor Ernst & Young have returned calls seeking comment.

Last month, The Register revealed that another Ernst & Young laptop theft had exposed the social security number and other personal information of Sun Microystems CEO Scott McNealy and an unknown number of other people. Since our story ran, a Cisco employee informed us that his data was on the same laptop as the one containing McNealy's information.

The loss of the IBM data outraged Jeff Moran, the husband of the IBM worker told of the data breach.

"Ernst & Young has a policy that this type of information is not supposed to be on a laptop," Moran said. "Yet, these guys download the data because it's convenient for them."

"All of our information is out there, and they didn't bother to tell us until March. By that time, the thief would have already used the information. This is an outrage, but until Congress starts punishing these guys, nothing will happen."

The letter from Ernst & Young states that the company does tax work for current and former overseas workers of IBM. In this role, the auditing firm needs information such as an employee's address, family size, US social security number and tax identification number. It then holds onto this information for at least seven years.

"The employee whose laptop was stolen is part of a group in our tax practice that works regularly with historical data files, assisting our Global Mobility and other tax professionals with data conversion, formatting and analysis," Ernst and Young wrote in the letter. "In connection with his job, the employee ran reports, which result in files being created on the laptop.

"We have determined that the laptop contained various personal information for a select number of IBM employees. Among the items of information included for some or all of these employees were name, address, US social security number, email address, and country where stationed."

Nothing short of a nirvana for an identity thief.

Ernst & Young has offered those affected a free, 12 month credit monitoring service provided by Experian. The service includes a hotline that IBM employees can call. Moran made such a call and found the staffer to be most unhelpful.

"I left my name and number and no one called me back for ages," he said. "Then the guy says that this will never happen again in the future. So, I pointed out that they had lost McNealy's information after our thing happened. He didn't have a response to that."

We called the Ernst and Young hotline for IBM employees and asked if it was the right place to ask about the IBM workers who had their data exposed via the laptop theft. The employee responded with a curt, "yes" but would provide no other information.

Ernst and Young's letter to IBM stafferFollowing the Sun/Cisco incident, Ernst & Young filed a police report in Miami, noting that it had lost four more laptops. Its employees left the systems in a conference room when they went out for lunch. A security camera at the conference center showed that it took all of about five minutes for two people to steal the laptops.

Ernst & Young maintains that the laptops are password protected and do not pose a significant security risk.

But such statements have not impressed security experts following the story.

"For a big four firm consisting of auditors and compliance professionals to say such a thing is very revealing of their lack of understanding and ignorance of security controls (and how to defeat them)," wrote one Register reader.

"I work for a information security consulting company and we routinely demonstrate to our customers how simple it is to circumvent/bypass/subvert security controls in order to gain access to personal computing devices -even those that are deemed to be secure as a result of the implemented security - BIOS password, hard drive password, OS password, strong authentication, etc."

Other readers backed up this sentiment, saying that their experience with the big four accounting firms shows that the companies rarely encrypt data on laptops or use sophisticated security measures.

Ernst & Young continues to avoid copping to these incidents in public, preferring for us and police blotters to expose the details. It's unclear how many more laptops have gone missing and have not been reported, and the company's security measures seem disconcerting to say the least for a company that specialises in accounting and auditing. Ernst & Young often gets paid to assess how well clients are complying with government policies around data protection and how forthcoming these clients are with discussing data breaches.

Ernst & Young has yet to return our calls seeking information about what is being done to prevent future losses, whether this data should have been on laptops in the first place and if anyone has been held accountable for the string of breaches. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.