Yet more victims have been named in connection with the loss of confidential data by Ernst & Young. This time 40,000 U.S. workers of the oil giant BP were notified that a laptop containing their names and social security numbers ended up in the hands of criminals. InfoWatch has recently reported that Sun Microsystems, Cisco and IBM have also been affected by a spate of laptop thefts at the auditing firm.
The name of oil giant BP can now be added to those of Sun Microsystems, Cisco and IBM as part of the growing list of companies affected by the theft of laptop computers from Ernst & Young, The Register reports.
Last week the auditing firm, one of the Big Four, sent out 38,000 letters to the American employees of BP informing them that their names and social security numbers were compromised when an Ernst & Young laptop computer was stolen. The auditor tried to reassure the BP workers by explaining that the file name containing their details did not indicate what type of information was on the laptop, and that the laptop itself was password protected. However, that is hardly proof that the information was protected in any way.
Ernst & Young has confirmed the theft of the laptop containing the BP data. However, as was the case with Sun, Cisco and IBM, the company only went public after the press found out about the incident. Two weeks ago the leak of confidential information belonging to IBM was made public, and three weeks ago it was revealed that the private data of Sun Microsystems' CEO Scott McNealy had been lost. It appears that all the information was contained on the same laptop. As well as that computer, Ernst & Young recently lost another four laptops in Miami, although it has not said which customers were affected in those incidents.
Ernst & Young's reluctance to reveal the details of the leaks makes it difficult to give an exact figure of all those affected, though reporters estimate the IBM leak affected around 100,000 people.
The auditing firm is still maintaining a policy of silence, stating only that the stolen laptops were password protected. The latest incident involving BP did also produce the argument that the filename did not reveal the contents of the file that contained the private data. Nevertheless, the steady flow of new incidents demonstrate that the company's IT security policy is sorely lacking.
“When equipment is stolen from a company, it is that company's private matter. When private details are leaked from a company, that becomes a matter for the clients and the partners. Therefore, the loss of a laptop with personal information is not an internal issue but an issue for the company's clients. I should point out that notifying a third party, for example, the press or the general public, is not necessary. The company's responsibility is to inform those affected, which, in this case, it has done," says Denis Zenkin, marketing director at InfoWatch.
“However, in my opinion, the problem lies elsewhere. If you are going to put any sensitive data on a laptop, then it must be encrypted."
Source: The Register