Original URL: http://www.theregister.co.uk/2006/03/04/ey_letters/
Readers amazed by Ernst & Young's laptop giveaway
Your data is
exposed password protected
Last month, Ernst and Young lost five laptops (that we know about). The accounting firm didn't really hold itself accountable for the missing hardware. It only copped to the losses after being contacted by reporters and downplayed the situations, saying password protection would keep customers information safe.
The mainstream press completely ignored Ernst and Young's follies, despite Sun Microsystems CEO Scott McNealy having his social security number exposed in one of the incidents. You guys, however, didn't treat the missing gear so lightly.
I read your Ernst & Young story regarding the stolen laptop and was amazed by their quote,
"The security and confidentiality of our client information is of critical importance to us. The computer was password-protected.."
Oh, that'll be fine then. I'm sure the data is safe! Saying that the "security and confidentiality of our client information is of critical importance" and that the "computer was password protected" don't seem to go hand in hand do they?!
I used to work for Ernst & Young in Canada and they routinely lost laptops via careless auditors and via theft. So this news is not suprising. What is very interesting however, is that in my days working for their Technology and Security Risk Service line we were contracted by a client to do tests on, you guessed it, the security of a laptop after if is stolen.
We demonstrated to the client how a simple windows password and in some cases even a simple bios password could be easily bypassed by someone with moderate skill.
So for EY to say that the laptop with the social security numbers is safe because it had a password is not only hypocritical of them but also completely false. It has been a few years since I worked at EY but I am pretty sure that they are not using any type of disk encryption so the data on these stolen is definately vulnerable.
Quoting from their web site:
"Companies don't get second chances today. Time is of the essence—and your competitors are just a click away. Everyone you do business with needs to know that your business systems are secure, reliable, available and properly controlled. "
Perhaps they should be looking at the work they have done for others and practicing what they preach.
I do love the way the Big 4 accountancy firms look down on smaller practices. At the charge out rates E&Y use, it wouldn't cost more than ooooh about £3,000 of chargeable time to work out that whilst onsite you should always ensure one member of staff is left behind with the audit files and computers, if a two office practice like mine has thought of it, surely it's not beyond the ken of a large multinational.
So much for the thought E&Y like to have that they have the "best of the best" when it comes to staff eh?
Possibly the reason they didn't disclose this was that if the thief didn't know what they'd stolen, they'd be unlikely to use it. Except now that it has been reported, they might put 2 and 2 together and realise they have something worth a lot more than they thought...
I think a lot of UK/European readers won't get why the social security number thing is such a big deal. If memory serves some genius back in the early days of US IT decided that, rather than give everybody their own customer number, they'd just use the guaranteed unique SS number. This soon became common practice.
So, it's not that McNealy's SS number is compromised particularly, more that a knowedgeable hacker can use this number when they break into other systems to find out things about him and also pretend to be him and commit fraud.
In the UK I don't think most of us would give a toss if someone knew our NI number because it isn't plastered all over our credit card vendor's internal systems. I do wonder if this will change if the UK government manage to get their crackpot id card scheme off the ground, will this number then start mattering because it will be plastered everywhere like it is in the US? Then the hackers will find committing fraud (sorry, "identity theft") much easier. I bet no-one's thought about it at all.
These big firms only hire squints, nerds and yes men.
They have a lot bigger problems than nicked lap tops.
i.e.: The top dogs are greedy unprincipled members of privately regulated system that went out of control about 20 years ago! Where once these firms represented integrity; now they focus on profits threw unprincipled creativity.
Like using European sewers as tax dodges for Coca Cola in the US, and signing off on cockamamy accounting practices like the spot trading ruling for Enron.
I'd be looking at the E&Y managers more than an outside criminal!
Not exactly 'high profile' if nobody knows about it is it?
Sounds more of a 'low profile' loss to me. Or at least that's how they'd like to keep it.
Yet another story of another company failing to protect sensitive and confidential customer/client information. One begins to wonder if there will ever be any legal consequences sever enough to prevent such occurrences. I don't think it unwarranted that some more substantial penalties, perhaps mandatory fines of the very large variety, be implemented to reinforce for companies of all sizes the need to protect sensitive customer information from theft or loss at all costs.
Cheers, Robert Rose
Hey, if you'd just ask the BOFH he'd tell you that beancounters think that if they have a password on their windows user account, the data on their laptop is 100% safe. How could the poor bastards even dream that the OS could be loaded from another device (HDD, CD, DVD) and their harddisk read with ease ?! I mean, if they don't/can't do it, it means nobody else can, right ? On the other hand why even bother loading the OS from another device when the passwords usually are something like "username123" ....
Just a thought on the E&Y security issue... I know from personal experience that at least 50% of the "Big Four" firms use disk encryption at (presumably) the BIOS level on all laptops - the first thing you get on boot is the password prompt to decrypt the disk enough to continue the boot sequence. Just don't try running Partition Magic on such a machine...
Always nice to end on a positive. ®