By Martin H. Bosworth
ConsumerAffairs.com
May 5, 2006
Two more incidents of data breaches arising from laptop thefts were reported over the weekend, involving data held by travel site Hotels.com and food retailer Royal Ahold.
Hotels.com said a laptop containing nearly 250,000 customer records was stolen from a vehicle belonging to an employee of Ernst & Young, the financial services firm that was performing an audit for Hotels.com.
The laptop contained names, addresses, and credit/debit card information for customers who had used Hotels.com to book reservations from 2002 through 2004.
The laptop was not encrypted or password-protected, according to Ernst & Young spokespeople, and little information was provided as to where the theft took place.
The theft was discovered May 3rd, and customers were supposedly notified by letter in late May as well.
Ernst & Young has become notorious for being fumble-fingered where laptops containing sensitive data are concerned. It has also lost laptops containing data from companies such as Sun Microsystems, IBM, and BP.
Royal Ahold owns retail chains including Giant supermarkets and Stop and Shop. Its lost data contained names, addresses, Social Security numbers, and pension benefit information for an undisclosed number of current and former Royal Ahold employees.
The missing laptop was password-protected, but the information on it was not encrypted.
The data was stored on a laptop belonging to an employee of Electronic Data Systems (EDS), an information technology services company hired by Royal Ahold to manage its infrastructure.
The $500 million contract between Royal Ahold and EDS included "[managing] Ahold's computing workplace of more than 9,600 desktop and laptops, printers and e-mail users," as well as "hosting Ahold's mainframe and midrange servers," according to EDS.
According to the Washington Post, the unidentified EDS employee was storing the laptop in the cargo hold of a commercial airliner on a flight between Philadelphia and Boston. The laptop disappeared and was presumed to be stolen.
The theft occurred May 2nd, but potentially affected customers did not receive letters notifying them of the theft until late May.
Will They Never Learn?
The Royal Ahold and Hotels.com data breaches come on the heels of the loss of records on 1.3 million student loan borrowers from the Texas Guaranteed loan company.
Texas Guaranteed had contracted its data services to Canadian data company Hummingbird, and one of their employees had downloaded the data onto a "mobile storage device," only to lose it afterward.
And the country is still reeling from the loss of personal data belonging to 26.5 million veterans, after a VA employee took a laptop containing the information home with him, only to have it stolen.
Why does this keep happening, many ask? Why are individuals suddenly at risk of identity theft every time someone downloads data onto a laptop and takes it with them?
Part of the reason is outsourcing. Most laptop thefts happen when companies shift their data infrastructure to third parties or rely on third parties to provide functions such as outsourcing, privacy compliance, audits, etc. All of these extra fingers in the pie means a heightened risk of security breaches and data fraud.
The more conspiracy-minded wonder if the boom in laptop thefts is due to data thieves moving away from network or mainframe-based hacking.
As companies get tough about infrastructure security, it becomes much easier for identity thieves to shift their focus to snatching unguarded laptops, many of which have little or no security features enabled.
Most likely, it's simple incompetence and negligence.
Even as individual Americans are doing more to protect themselves from identity theft through increased vigilance towards personal information, businesses are not educating their employees in basic security techniques or providing ways to get work done that don't require using a laptop or other storage devices.
As one commenter on CNet News put it, "After years of exposures of private data, we still have applications designed and developed with private data co-mingled with other data. Private data needs to be placed 'behind the wall', secured, encrypted and blocked from the general users -- yes, even including auditors. That the data is not segregated and secured is an architectural failure, attributable directly to those 'professionals' who allow private data to be abused in the first place."
