By Candace Lombardi
Monday, June 05 2006 10:51 AM
URL: http://www.zdnetasia.com/news/security/0,39044215,39364957,00.htm

A seemingly random theft has led to another potential breach of personal data--this time name, address and credit card information from Hotels.com customers.

A laptop belonging to an Ernst & Young employee was stolen in a car theft earlier this year. Ernst & Young is the auditor for Hotels.com, an Expedia company, and the laptop contained personal data on Hotels.com customers.

Hotels.com was notified of the theft of the laptop, which contained data for about 243,000 customers, on May 3, a representative for Hotels.com said. "Ernst & Young informed us that the vehicle was broken into in late February," said the representative. "We immediately began reconstructing the data. Once we were notified, we began working as expeditiously as possible to determine which customers were impacted and to notify them. We began sending letters to affected customers last week."

"We're the auditor for Expedia; this was part of the audit," Ken Kerrigan, deputy director of public relations for Ernst & Young, told CNET News.com on Friday. Ernst & Young was in the process of doing the audit when the car theft took place, making it entirely proper for the employee to be in possession of the information via laptop, Kerrigan said.

CNET News.com obtained copies of both the Hotels.com and Ernst & Young letters to affected customers.

According to the Ernst & Young letter, the Hotels.com file held certain personal information related to Hotels.com transactions, primarily from the year 2004. There were also a small number of transactions from 2003 and 2002. "We believe the transactions may have involved the payment card you used with Hotels.com or another Web site through which Hotels.com provided booking services directly to customers. Specifically, the information on the laptop may have included your name, address and some credit or debit card information you provided," the letter said.

The Hotels.com letter gives information on a toll-free call center to assist customers with questions, an offer for a free credit-monitoring service and instructions on how to file a fraud alert with credit card companies. Hotels.com has also contacted the credit card companies and informed them of specific customers whose cards have been compromised, the Hotels.com representative said.

While Kerrigan said he believes the incident was "just a car theft," the financial company has taken steps to more strongly protect confidential data.

"For the U.S. and Canada, as of May 31, 30,000 of our employees, which I believe is everyone, have password-protection and encryption software on their computers," Kerrigan said. He did not specify which vendor was providing the encryption software. "This computer was stolen before it was encrypted. It was password protected, but not with encryption software."

Ernst & Young has had other employee laptops stolen this year as well, according to news reports. The company said it is working with authorities on the latest laptop theft.

"At this time, we have no indication the information has been accessed or misused in any way," Ernst & Young said in a statement regarding the latest incident. "We are working closely with Hotels.com to reach out to their customers whose information was on the computer."

This incident is just one in a long line of security threats tied to misplaced, lost and stolen data.

On Thursday, the Texas Guaranteed Student Loan company reported that 1.3 million customers are in danger of ID theft, after an IT consultant lost hardware containing sensitive data. On May 22, the data of 26.5 million U.S. veterans and their spouses was stolen from a government employee who brought work home via a laptop. The day before that, it was discovered that hackers had possessed yearlong access to Ohio University servers. In April, it was discovered that a University of Southern California hacker gained access to the information of perspective students.