Nokia has joined Sun Microsystems, Cisco, IBM and BP on the unenviable list of those affected by laptop thefts at Ernst & Young. The sheer scale of the data leaks suffered by just one company suggests that the thefts are not just opportunist crimes. InfoWatch experts point out that if the black-market value of all the lost information is calculated, then targeted thefts appear to be the most likely explanation.
The Register has managed to ascertain that the theft of laptop computers from Ernst & Young has compromised private data belonging not only to Sun Microsystems, Cisco, IBM and BP but also Nokia.
One of several computers stolen from the audit firm contained details of Nokia’s U.S. employees. The data included their names, social security numbers, ages, addresses and tax identification numbers. Ernst & Young has stressed that the risk of identity theft is minimal because the laptop was password protected.
However, The Register has received a letter disputing that assertion from a former partner of Ernst & Young's Technology & Security Risk Services practice for the Greater China region and the U.S. The expert, who asked to remain anonymous, said he was shocked when Ernst & Young said there was no risk due to the password protection of the laptop. In the words of the expert, any member of the Big 4 knows just how little security a single password offers.
The security specialist continues by saying that while he was at Ernst & Young his team was required to keep sensitive data secure. The norm was to never leave laptops around even in the office, use cable locks or lock them in cabinets in addition to using bios passwords and encrypting sensitive data.
Of particular interest was the anonymous expert’s assertion that the theft of a laptop containing sensitive information is rarely a random act. “Many such thefts," he says “are targeted; maybe some further investigation is necessary here."
The former Ernst & Young partner goes on to note that many Big 4 employees carry laptops in bags with "Big 4" logos. This gives a clear sign to any criminals just which laptops belong to audit companies and are likely to contain private data.
Another interesting aspect of the letter states that the members of the Big 4 report annually on precisely these trends in security. At the very least, the author says, they could advise their staff of precautions to take with this critically sensitive data.
Furthermore, by losing their laptop computers left, right and center, the actions of these huge auditing companies contradict the very principles of security, transparency and accountability that they demand of their clients.
Ernst & Young has been tight-lipped over the losses of their laptops, refusing to tell the press why an employee left his computer unattended, who has been held responsible for the incidents and what kind of measures are being taken to prevent any repeats in the future. In fact, the incidents only came to light after the press followed up leads provided by those affected by the data breaches.
“So many stolen laptops at one company suggests that these incidents were not just coincidental and that the thieves were after the hundreds of thousands of private records rather than the hardware. We have already pinpointed a case of the private data of one of those affected being offered for $5. Even if it is sold at knockdown prices on the black market, the information is of far more value than the laptops themselves," points out Denis Zenkin, marketing director at InfoWatch.
Source: The Register