The Channel logo


By | Ashlee Vance 15th March 2006 22:07

Lost Ernst & Young laptop exposes IBM staff

Oops, we did it again

Exclusive Ernst & Young has lost another laptop containing the social security numbers and other personal information of its clients' employees. This time, the incident puts thousands of IBM workers at risk.

Ex-IBM employees are also affected.

The Register has learned that the laptop was stolen from an Ernst & Young employee's car in January. The employee handled some of the tax functions Ernst & Young does for IBM workers who have been stationed overseas at one time or another during their careers. As a result of the theft, the names, dates of birth, genders, family sizes, SSNs and tax identifiers for IBM employees have been exposed.

The husband of one IBM employee has provided The Register with an exclusive copy of the letter Ernst & Young mailed out to the affected parties. This particular letter did not arrive until 8 March - two months after the theft.

Neither IBM nor Ernst & Young have returned calls seeking comment.

Last month, The Register revealed that another Ernst & Young laptop theft had exposed the social security number and other personal information of Sun Microystems CEO Scott McNealy and an unknown number of other people. Since our story ran, a Cisco employee informed us that his data was on the same laptop as the one containing McNealy's information.

The loss of the IBM data outraged Jeff Moran, the husband of the IBM worker told of the data breach.

"Ernst & Young has a policy that this type of information is not supposed to be on a laptop," Moran said. "Yet, these guys download the data because it's convenient for them."

"All of our information is out there, and they didn't bother to tell us until March. By that time, the thief would have already used the information. This is an outrage, but until Congress starts punishing these guys, nothing will happen."

The letter from Ernst & Young states that the company does tax work for current and former overseas workers of IBM. In this role, the auditing firm needs information such as an employee's address, family size, US social security number and tax identification number. It then holds onto this information for at least seven years.

"The employee whose laptop was stolen is part of a group in our tax practice that works regularly with historical data files, assisting our Global Mobility and other tax professionals with data conversion, formatting and analysis," Ernst and Young wrote in the letter. "In connection with his job, the employee ran reports, which result in files being created on the laptop.

"We have determined that the laptop contained various personal information for a select number of IBM employees. Among the items of information included for some or all of these employees were name, address, US social security number, email address, and country where stationed."

Nothing short of a nirvana for an identity thief.

Ernst & Young has offered those affected a free, 12 month credit monitoring service provided by Experian. The service includes a hotline that IBM employees can call. Moran made such a call and found the staffer to be most unhelpful.

"I left my name and number and no one called me back for ages," he said. "Then the guy says that this will never happen again in the future. So, I pointed out that they had lost McNealy's information after our thing happened. He didn't have a response to that."

We called the Ernst and Young hotline for IBM employees and asked if it was the right place to ask about the IBM workers who had their data exposed via the laptop theft. The employee responded with a curt, "yes" but would provide no other information.

Ernst and Young's letter to IBM stafferFollowing the Sun/Cisco incident, Ernst & Young filed a police report in Miami, noting that it had lost four more laptops. Its employees left the systems in a conference room when they went out for lunch. A security camera at the conference center showed that it took all of about five minutes for two people to steal the laptops.

Ernst & Young maintains that the laptops are password protected and do not pose a significant security risk.

But such statements have not impressed security experts following the story.

"For a big four firm consisting of auditors and compliance professionals to say such a thing is very revealing of their lack of understanding and ignorance of security controls (and how to defeat them)," wrote one Register reader.

"I work for a information security consulting company and we routinely demonstrate to our customers how simple it is to circumvent/bypass/subvert security controls in order to gain access to personal computing devices -even those that are deemed to be secure as a result of the implemented security - BIOS password, hard drive password, OS password, strong authentication, etc."

Other readers backed up this sentiment, saying that their experience with the big four accounting firms shows that the companies rarely encrypt data on laptops or use sophisticated security measures.

Ernst & Young continues to avoid copping to these incidents in public, preferring for us and police blotters to expose the details. It's unclear how many more laptops have gone missing and have not been reported, and the company's security measures seem disconcerting to say the least for a company that specialises in accounting and auditing. Ernst & Young often gets paid to assess how well clients are complying with government policies around data protection and how forthcoming these clients are with discussing data breaches.

Ernst & Young has yet to return our calls seeking information about what is being done to prevent future losses, whether this data should have been on laptops in the first place and if anyone has been held accountable for the string of breaches. ®

alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


Suit-and-tie-wearing man tries to meditate, take deep breaths in faux yoga pose. Photo by Shutterstock
Emotional intelligence, not tech skills, is the way to woo suits
League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe