Ernst & Young, whose services include advising its clients on how to protect confidential information, lost 5 laptops last month compromising data that included social security numbers. One of those affected was Sun Microsystems CEO Scott McNealy. Only after Ernst & Young was confronted by the press did they publicly acknowledge the losses.
At the end of February U.S. newspaper The Register reported that Ernst & Young, one of the 'Big Four' auditing firms, had lost at least five laptop computers containing confidential information on clients and partners. The company didn't make the losses public until journalists from The Register got in touch to ask if laptops containing confidential information had been stolen. It turned out that Ernst & Young had indeed lost the laptops and compromised sensitive data.
The first laptop was stolen from an employee's car. It contained clients' social security numbers, including that of Scott McNealy, CEO at Sun Microsystems. He received notification from an "anonymous partner", which The Register says was Ernst & Young, stating that his name and social security number were among the lost data.
An Ernst & Young spokesman said the laptop, which was stolen from the locked car of an employee, was password-protected. He also added that all those affected by the incident had been notified, but refused to say how many people had been affected.
Another four laptops were stolen after a group of Ernst & Young auditors went for lunch on 9 February, leaving their computers in an office building conference room. According to security footage, two men entered the conference room a couple of minutes after the Ernst & Young staffers left and walked off with four Dell laptops valued at close to $8,000, The Register also reported. Ernst & Young declined to comment on whether the lost computers contained private data or how many people may have been affected.
Among the services offered by Ernst & Young are audits of public companies, including compliance checks for the Sarbanes-Oxley Act. In other words, the company's specialists instruct their clients on issues such as protecting vulnerable private data by encrypting information on laptops. It can only be hoped that the data on the lost Ernst & Young laptops were encrypted properly.
“Provision must be made in a company's corporate IT security policy for safeguarding portable devices which could contain confidential information. Confidential data must not be allowed on to a laptop if a firm doesn't protect it using encryption. Otherwise, one fine day all the client details belonging to a company may well end up in the hands of fraudsters," explains Denis Zenkin, marketing director at InfoWatch.
Source: The Register