Hotels.com, Ernst & Young Lose 0.25 Million Credit Card Numbers

250,000 Hotels.com customers woke up to super great news Friday morning: “Um, sorry guys, all your credit card numbers were stolen.”

It’s standard boiler plate for corporate laptop theft predicated by gross incompetence. Hotels.com hired Ernst & Young to audit their books. Ernst & Young auditor, for whatever incredible reason, left the building with an unencrypted laptop containing the credit card numbers of every known Hotels.com customer. The laptop was then (surprise!) stolen.

As usual for this type of story, there was a huge delay between the date the laptop theft occurred (early February) and when customers were notified (last week of May).

I think we are rapidly drawing close to the point when it would simply be easier to hand your credit card number to a Russian hacker directly, as opposed to waiting for a company to accidentally give it to them. At least then you’re cutting out the middle man.

Hotels.com Customer Data Stolen [Yahoo! News]

Comments

Edit Your Comment

  1. ModerateSnark says:

    I doubt the auditor even needed the credit card numbers for what he was doing.

    Databases should be designed so that only the data needed for analysis can be easily extracted. This is the kind of situation where keeping everything on a “need to know” basis is clearly the best policy.

    If the non-personal data needed for statistical analysis can’t be separated from the personal data, then don’t put it on a laptop or let it leave the building.

    Duh.

  2. LTS! says:

    Can we start some kind of scoreboard for these morons incompetence? This is what, the 3rd or 4th incident with Ernst & Young in the past year?

  3. ModerateSnark says:

    Something like the Data-losing Losers’ Loser-o-meter?

    “Data Losses and the Data Losing Losers who Lose It.”
    …by Fral Ankin, the author of “Personal Sensitive Data with Jokes” and “Ernst & Young are Big Fat Idiots.”

  4. Andrew W says:

    A friend just asked me a question similar to ModerateSnark’s first comment: why the hell does an auditor need/have customers’ credit card numbers?

    If there’s anyone who’s read a user agreement lately, do you remember if it says anything about what the company promises it will or will not do with your private info when it comes to the company’s own (or legally compelled) uses? Like, why can’t hotels.com be class-actioned for handing over names and credit card numbers to a third party?

  5. This is getting freaking rediculous. Why is this data allowed to leave the building? Why aren’t companies taking more action to protect our data? What is it going to take? Activism? Boycotts? The lynching of entire departments? EMPs?

    I vote the we start finding these idiots that can’t keep ahold of their laptops and induce a little data loss of our own. But I’m just in a violent mood after handing stupid people on the phone all day.

  6. OkiMike says:

    They need to allow E&Y auditors to access data off-site only through a VPN. And they need to provide that data through Stored Procedures/Views and restrict rights to tables directly.

    Database Administration/Networking 101.