Announcement

Collapse
No announcement yet.

Corporate Insecurity

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Corporate Insecurity

    I'm sure everyone here has heard about this little gem:

    Hotels.com is warning nearly a quarter of a million customers that they may have had their credit card numbers stolen, following the theft of an unencrypted laptop belonging to the travel Web site's auditor, Ernst & Young GIobal.

    The laptop was stolen in late February after an Ernst and Young employee left it inside a locked vehicle, according to Hotels.com Senior Compliance Officer Cathy Bump. Ernst and Young notified Hotels.com of the theft on May 3, and after determining which customers were affected by the data breach, the two companies began sending out letters last week notifying approximately 243,000 customers of the theft.

    The laptop contained names, addresses, and credit or debit card information, mostly related to Hotels.com transactions that occurred in 2004, although some customers who made purchases in 2003 and 2002 were also affected.
    Seriously, what kind of idiot let's their employees run around with that kind of data on a laptop without even basic encryption? Not to mention Hotels.com gave that kind of detailed personal information to a third-party! Perhaps I'm ignorant of the inner workings of big business but is there any particular reason Ernst & Young needs the names, adresses and credit/debit card numbers of 243,000 users???
    When in danger or in doubt, run in circles scream and shout.

  • #2
    I got a good laugh about this story when I heard it on the news last night. Not so much about the fact that the data was lost/stolen but rather how the reporter said "the laptop was protected by a password". While I'm sure that made some of the sheeple feel better it is exactly the kind of attitude that causes this kind of thing to happen. Come on, "protected by a password"? We all know how secure that is!

    Comment


    • #3
      The data being "protected by a password" is just as effective as the laptop being "protected by a locked vehicle."

      Some people see the lock, or the password screen, and do not go further. These people are usually honest to a fault. They obey all signs and notices and are confused when someone else does not.

      We need to invite their people to DC just to sit and watch the Wall of Sheep.

      Comment


      • #4
        Originally posted by astcell
        Some people see the lock, or the password screen, and do not go further. These people are usually honest to a fault.
        Can you describe what you mean here by "honest to a fault?" I frequently describe myself that way, but do not fall into the other criteria. In general, if I was left with a person's laptop on a temporary basis and it was passworded, I would leave it alone. It wouldn't be worth the effort and the person had clearly left an unwelcome mat out.

        Comment


        • #5
          Originally posted by KinoEye
          I'm sure everyone here has heard about this little gem:
          Yah, it's old news - just as a reference for the future, though, please post links or other references to sources you're citing.

          Originally posted by astcell
          The data being "protected by a password" is just as effective as the laptop being "protected by a locked vehicle."
          What's even better is that this is information that had been stored since at least 2002 - so even if some cards' expiry dates have rendered them invalid, this still points to approximately four years of poor handling procedures being in place as regards this information. Given this, it's surprising that the problem hasn't been more widespread.

          We need to invite their people to DC just to sit and watch the Wall of Sheep.
          This may also be a good example of where policy & procedure with good intentions can completely and utterly fail when applied in real life. We can't really say that there's no reason for that information to be on the laptop in the first place - hell, there's probably a very valid one why it was. But just because the reason's valid doesn't necessarily mean it's good. Hypothesising for a moment, there could have been a policy in place prohibiting external access in any form of credit card info - but this led to people having to keep that information on their laptops in order to carry out their job functions, and we all know how it went from there. Valid reasoning, poor end result.

          Comment


          • #6
            Originally posted by skroo
            Yah, it's old news - just as a reference for the future, though, please post links or other references to sources you're citing.
            Noted,

            Source:
            http://tinyurl.com/fbdbc


            Situations such as these just honk me off. As I see it, there is no reason for hotels.com to retain my CC information for 2+ years AND turn that information over to a third party.

            I advise all my clients against storing CC info anywhere. I have have them pass that information off to the payment processors and forget it ever existed. I realize this forces returning users to re-enter their data if they come back to make a purchase and that may be annoying to them but in my mind it is a whole lots less annoying than having their CC info leaked due to incompetence or laziness.
            When in danger or in doubt, run in circles scream and shout.

            Comment


            • #7
              Originally posted by KinoEye
              Situations such as these just honk me off. As I see it, there is no reason for hotels.com to retain my CC information for 2+ years AND turn that information over to a third party.
              Here's one I ran into yesterday that REALLY pissed me off: having to show ID to buy cold medication (thank you, the Feinstein/Talent Anti-Meth Bill) and having my name, address, date of birth, and driver's licence number recorded. Of course, there's no handling or storage procedure specified anywhere for this information, and I won't even get into how furious I am at the 'if you're not breaking the law, you've got nothing to worry about' attitude behind its collection - if I'm not breaking the law, then you've got no reason to be compiling this information. But almost worse than that which this has done is to create a handy, thieveable (or browseable) reference which can further be used to obtain SSNs fairly trivially. Hooray for easy identity theft.

              I fucking love being treated like a criminal because I've got a head cold.

              Comment


              • #8
                Originally posted by skroo
                Here's one I ran into yesterday that REALLY pissed me off: having to show ID to buy cold medication (thank you, the Feinstein/Talent Anti-Meth Bill) and having my name, address, date of birth, and driver's licence number recorded.
                I refuse to buy those medications just for those reasons. I don't at all like the idea of having my information collected. But wait, it gets worse! I think at some point we won't be able to get these medications at all without a prescription. Because druggies can never get their hands on prescription medication.

                The thing that bothers me the most about someone writing down all my info if I want to legally buy something is that people buying it for nefarious purposes DON'T BUY IT. The steal it, therefore only the innocent people get punished by this law. The law is entirely useless.

                'if you're not breaking the law, you've got nothing to worry about' attitude behind its collection - if I'm not breaking the law, then you've got no reason to be compiling this information.
                Absolutely. And if you're squirrely about dispensing you're information, others get confused and suspicious about you.

                There's a restaraunt I like to eat at. When they run your CC, the copy they give you has your last 4 digits on it, but their copy has the whole number on it. The place is an asian food restaurant and the server was so confused when I refused to let her take "her" receipt with the full number on it.

                Comment


                • #9
                  Originally posted by skroo
                  having to show ID to buy cold medication.
                  i'm overwhelmingly pissed off and fired up about this bullshit. fortunately, i've been greeted with support and understanding at a few stores with this policy, when i've stated plainly "then ring my order up without that, i'll get it somewhere else"

                  another note... in my state it seems like this is being debated but is not 100% law at the moment, so policies vary from store to store. one grocery store says they want ID but i've convinced them that "you have me on record since i'm using my price club card" (which is all made up information anyway)

                  heh, maybe i'll start a drug-running business that imports cold medicine into the state for friends and who are still stuck on this notion that america is a free country.
                  "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
                  - Trent Reznor

                  Comment


                  • #10
                    Originally posted by mfreeck
                    The thing that bothers me the most about someone writing down all my info if I want to legally buy something is that people buying it for nefarious purposes DON'T BUY IT. The steal it, therefore only the innocent people get punished by this law. The law is entirely useless.
                    Yep. Even tweakers aren't dumb enough to try to buy 90 boxes of Sudafed at once.

                    There's also the waste of $45 million dollars in appropriations to consider, plus whatever else it cost to get it put through. $45 million's a drop in the ocean in the grand scheme of things, but I'm cranky and like knowing where my tax dollars are going. This sure looks like a complete and utter waste of them no matter how thin you slice it.

                    Absolutely. And if you're squirrely about dispensing you're information, others get confused and suspicious about you.
                    Oh, and I *really* pissed off the pharmacist on that score. When I realised she was copying down information and not just doing an age check or somesuch other less-annoying bullshit, I demanded that she cancel the transaction and hand over all information she'd taken down on me. Eventually she ended up tearing the page out of the log with my name on it and handing it to me for disposal after I'd forced a manager to come over and rather clearly explained to them that the only way they were going to be allowed to have my personal information on file was if they'd also hand over theirs. Once we got past that mental hurdle, they eventually relented.

                    Originally posted by Deviant Ollam
                    i'm overwhelmingly pissed off and fired up about this bullshit.
                    You and me both. What particularly got me was the pharmacist's attitude of, "well, nobody else seems to have a problem with this, so why do you?" Because other people are fucking idiots, lady, yourself included.

                    What I was thinking might go some way towards getting this toned down: every time someone goes to buy behind-the-counter cold medication, they should give Senators Feinstein and Talent a call and let them know that they really, honestly, truly won't turn their purchases into meth and just wanted to make sure that the good Senator knew - personally knew - that this was the case. Enough phone calls (Feinstein, Talent) to their respective offices from irate people with legitimate purchases to make and it might do some good.
                    Last edited by skroo; June 11, 2006, 12:43.

                    Comment


                    • #11
                      Originally posted by skroo
                      You and me both. What particularly got me was the pharmacist's attitude of, "well, nobody else seems to have a problem with this, so why do you?" Because other people are fucking idiots, lady, yourself included.
                      My wife encountered this the last time she went to pick up some cold/flu medicine for me. Thankfully the pharmacy tech that was manning the counter let her fill out the information without checking her ID. She commented on the bullshit requirement, he said that he agreed with her and that's why he personally did not check the ID to validate. I don't know the specifics of the requirement, and that tech very well may have been in violation of the new statues, but fuck em.
                      Aut disce aut discede

                      Comment


                      • #12
                        @"Protected by a password"
                        Great! I haven't had problems with passwords since I was 9 and found out about booting with diskettes (del sam._, You screw up all accounts, but get in to the cc info.). It became even easier when I found tools like the "Offline NT Registry and Password Bootdisk" By Peter Nordahl, Sala's version that's slightly better and PwDump. I'll bet anything that there was no BIOS-password set. Seriously. When nine year olds can penetrate those "protections", how secure is it?

                        Originally posted by mfreeck
                        I refuse to buy those medications just for those reasons. I don't at all like the idea of having my information collected. But wait, it gets worse! I think at some point we won't be able to get these medications at all without a prescription. Because druggies can never get their hands on prescription medication.

                        The thing that bothers me the most about someone writing down all my info if I want to legally buy something is that people buying it for nefarious purposes DON'T BUY IT. The steal it, therefore only the innocent people get punished by this law. The law is entirely useless.
                        Three choices:

                        1. Steal it

                        2. Fake information (might not work when its prescription...)

                        3. Convince the people that they should'nt be writing down that stuff. Inform the press!

                        Comment


                        • #13
                          Originally posted by skroo
                          I won't even get into how furious I am at the 'if you're not breaking the law, you've got nothing to worry about' attitude behind its collection - if I'm not breaking the law, then you've got no reason to be compiling this information. But almost worse than that which this has done is to create a handy, thieveable (or browseable) reference which can further be used to obtain SSNs fairly trivially. Hooray for easy identity theft.

                          I fucking love being treated like a criminal because I've got a head cold.
                          I ran into something similar in 1999. I had recently moved and opened a new checking account, during the move a friend of mine dropped and destroyed my only monitor. I went to Compusa to purchase a replacement, while I was there I picked up some RAM and few other assorted items. When checkout time came my bill came to over $500.00. (Remember this is 1999) I hand the cashier my check, she types some numbers into her register, picks up the phone & mumbles something under her breath, hangs up and sanctimonously announces that she cannot take my check!!! She give me an 800 number to call.

                          I call the number from my cell in the parking lot, demanding an explanation. It turns out that I was flagged by Equifax as a possible criminal.

                          "We can't guarantee to our client that the check will clear funds"

                          "Excuse me???"

                          I ask why and I am told that they do not have "enough" data on me to accept a check. She offered to send me something to fill out to "ensure that this will never happen again." When it arrives it of course asks for WAY more info than I am prepared to give them, so I never fill it out...

                          It was one of the most demeaning experiences in my life, being flagged as a criminal by Equifax's FraudScan+ system.

                          To this day I get completely enraged when I think about it.
                          When in danger or in doubt, run in circles scream and shout.

                          Comment


                          • #14
                            Originally posted by mfreeck
                            The thing that bothers me the most about someone writing down all my info if I want to legally buy something is that people buying it for nefarious purposes DON'T BUY IT. The steal it, therefore only the innocent people get punished by this law. The law is entirely useless.
                            recently i moved from saint louis missouri to a very very small town in colorado, it turns out that this town is severely infested with tweakers( meth addicts) these people will take anything to get a fix but they know that stealing from a store is to risky so they will usualy steal stuff out of cars, pawn it, and then buy drugs of one sort or the other.

                            Comment


                            • #15
                              Re: Corporate Insecurity

                              I started cracking up when I read this post as it just so happens that I work the help desk for E&Y. To funny seeing it on both sides of the fence.
                              -Ramsieze

                              Give someone the key and they can make it through threw the door. Teach them to make these keys and they can make it through any door.

                              Insanity or genius, I'm on the edge....

                              Comment

                              Working...
                              X