Hotels.com credit-card numbers stolen

Names and credit-card numbers of 243,000 Hotels.com customers were on a laptop stolen from an Ernst & Young employee.
June 2, 2006: 12:20 PM EDT

NEW YORK (CNNMoney.com) - The names and credit-card numbers of 243,000 Hotels.com customers were on a laptop computer stolen from an employee of accounting firm Ernst & Young, according to sources familiar with the matter.

Hotels.com, which is owned by Expedia (Research) and Ernst & Young, its auditor, began notifying customers that their information was stolen last week.

The theft occurred in February, according to news reports, but Ernst & Young only recently was able to determine what was on the computer's hard drive.

A spokesman from Ernst & Young declined to confirm the exact date of the theft.

more

I suppose the only recourse is to go back to doing everything in cash, and then worrying about some asshole robbing you!

Of course, what was that data doing on there to begin with? :shrug:

...for vendors to retain the entire CC numbers after they are processed.

Why the hell an accountant doing an audit would ever have this data is entirely beyond me.

It's simple, safe and sane. And no one takes my data away anywhere, whether by laptop or Internet connection. If I can keep my data safe, why can't a large company?

Sheer incompetence is the only reasonable answer.

Educate A Freeper - Flaunt Your Opinions!
http://brainbuttons.com/home.asp?stashid=13

...has reports on a regular basis of laptops stolen from cars. All hours of the day...

They're taken from cars on high-visibility, "main drag" streets like Winchester Boulevard in Campbell, in the parking lots of high-profile restaurants like The Elephant Bar.

Day after day after day some rocket scientist leaves his or her laptop on the seat of their car while going in for the morning latte and comes out to find it stolen. Purses, digital cameras...what makes people think it's a good idea to leave these things on the car seat, whether it's broad daylight or not?

And if anyone thinks putting it in the trunk is a good idea, think again. The "job" of these thieves is to monitor everything happening on the street. Put it in the trunk and OOOPS...pop the trunk, gone in 60 seconds.

:shrug:

insurance companies won't even insure them anymore.

...but I've resisted buying one because I know that if I turn my back on it for ten seconds, it will be gone.

:patriot:

I'd better get my debit/credit card # changed. This is getting totally ridiculous.

I too used the booking service earlier this year but will have to check the exact dates. Also, DUers may want to try Hotwire if you're flexible and can deal with accepting an unknown hotel in the zip code that you're visiting. Problem is you don't know exactly which hotel until you book the room. The rates are very low though.

Not so many years ago they had this neat little device called a "dongle" you could hook up your computer to - it was used on serial ports (back then the most common way of transferring data.) It changed the wiring of the port in a random way so that only a matching dongle could read it - they were sold in sets & no one could predict what random configuration any particular company might have.
There's a simple program (first used by American Express) which generates a "One Time Pad" number for your online transaction - the number (which bears no mathmatical relationship to your credit card number) is good ONLY for the one transaction & your actual credit card number is never stored or transmitted to the merchant - they simply get a credit for the money.
Most computers in existance today can handle 128-bit encryption (those that can't can handle 64-bit & most now can handle 256-bit encryption.) How good is 128-bit encryption? The NSA running its fastest Cray Supercomputers for the entire life of the known Universe couldn't crack it (the reason for all the hoopla about "dumbing it down" or giving the Government secret keys to the encryption.)
So why the FUCK are social security numbers & credit card numbers being stored on Government & industry laptops UNENCRYPTED????

That's useful info.

I too question why this information is being kept under the most lax security that can be imagined. I've worked places where I've dealt with these kinds of data and even less sensitive information and we were strictly monitored for keeping it safe and confidential. This stinks to high heaven.

Back when encryption tools were rare and clunky we used to write algorithms to create unique IDs using valid data. There is no good reason for maintaining real account numbers, SSNs, or other externally significant IDs as primary IDs in the first place, and no excuse for passing around data without encryption.

The single use credit card numbers are great. I have noticed that they don't always work, I use them whenever I can.

...you don't have anything to worry about."

... was on ANYONE's laptop confirms what I've suspected - nobody takes the security of this sort of information seriously.

I'll bet you that at most companies, scads of programmers, network engineers, administrators, have access to these databases. For every one of these security breaches that comes to light, there are hundreds that don't.

At least not the "consultants" here on H-1B visas to make up for that massive IT worker "shortage". :mad:

Today, I called Sprint to have my credit card information updated. The Indian customer service rep, who called herself "Anne" (yeah, right), needed 25 minutes to figure out how to do the update.

Having all that info available on a single laptop -- it's almost like someone wanted to make it easy for all that data to be stolen.

... that these are technical people working with the live data. In an actual secure environment, they would be using dummy data to do their programming - and then once it was working on the dummy data, it would be ran against the real data in a controlled environment.

In actuality, most companies don't want to bother with the extra expense of keeping data secure, which is my basic point.

True enough - there is no good reason sensitive data like that should be on a laptop, and especially on a laptop taken off site, which most laptops are, or why would you bother with a laptop? :)

There are good reasons to use a laptop other than portability.

1) You have a built-in UPS with an incredibly long runtime.

2) A laptop uses signifigantly less power, because the companies couldn't cut corners on the power electronics to shave dollars off, because they have to work on a battery.

3) It takes less desk space.

4) Peripheral upgrades/changes are all external through cardbus and external busses.

Were I a company owner, I wouldn't even bother with desktops, frankly. The price difference just isn't worth it, and over the life of the unit you'll make up the cost in energy savings. If you don't want them moved, just bolt them to the furniture.

That said, over the last few years the impression has been growing on me that the sorts of people that mid-sized companies hire today aren't the kind that take the duties of their position seriously nor consider the larger consequences of their occupational actions either to the company or to society at large. They do take retaining their jobs very seriously, which is why they don't want people who take their duties seriously around -- they tend to cause problems like pointing out who's being utterly useless and pushing projects along. The workforce is therefor effectively "vaccuum locked" -- the inmates have control of the asylum and aren't about to let the staff back in.

Next job interview I go to, I'm going to act stupid, passive, and conflict-adverse and see if that gets me in.

the data, they decide to go ahead and let the people who were actually affected by it know.

And then, if anything has been charged, or new accounts opened in their name, just watch how easy it is for people to get that stuff removed. :grr:

Ok, I get the laptops being stolen...that's gonna happen. My question is why in the name of all that is holy are these companies so lax with their internal security that sensitive data can even be copied onto a network node. And it took them 3 months to figure out what was on the drive? The guy didn't know? Are people that friggin' stupid or do they just not care?! :mad:

Ernst & Young added that the computer was password-protected there was no indication the information had been accessed or misused.

Other personal items were stolen as well, according to the accounting firm.

"The crime appears to be a random theft, and we have no indication that the thief was specifically targeting the laptop or any information contained on it."

It sounds like they all have a boilerplate press release. The COMPUTER was password-protected?! BFD, a screwdriver can take care of that problem. These guys are MORANS!!!

I used hotels.com too (last year in March). I have since this time closed the account they charged the hotel to just a couple of weeks ago fortunately! I am trying VERY hard to get rid of all of the credit cards I have that I do not use. I'd strongly advise this to everyone.

I just checked my credit card bill (and yes, I want my bill mailed to me!) and found the one with the hotels.com charge. It says it is located in TEXAS. This is also where the Student Loan records were stolen from, some computer that had been located in TEXAS.

It seems to me that a lot of these "thefts" are occurring in TEXAS for some reason.

I'll put on my tinfoil hat just to cover my ass on this one. I however smell more than a HUGE RAT!

:tinfoilhat:

the GOP has just put out the welcome mat that if you enter the country illegally, steal someone else's identity, and live here w.out being caught long enough then eventually you will be given amnesty and become a usa citizen

why WOULDN'T there be a huge black market for stolen credit cards, veteran's social security numbers, etc?

the people who will buy these items have nothing to lose, for they are not punished for breaking the law, and they have everything to gain, at worst, if caught they are deported, so they just start the whole game all over again

i honestly don't see why any tinfoil is needed, it's pretty obvious to me why such thefts are BIG TIME not just in texas, but in nevada, and arizona too

don't forget, the ENTIRE dept. of motor vehicles information for state of nevada was stolen!

our country has created its own problems by refusing to enforce the law or secure its borders, why secure a damn laptop if you wouldn't bother to secure an international border, this 5 years after 911?

assuming that things go "as they say" and it's all password protected and no cause for alarm, just a random theft of a laptop, well... whatever. On the other hand if a link could be made to forged charges to these cards and loss of personal data, would there not be a legal liability that could be actionable in court? It would seem that whoever was responsible for this private information was certainly negligent and if harm is caused due to that negligence then the cure would come in a civil case. Perhaps there are laws to protect the mighty (and mighty stupid) corporations in this case, but I would think if, I suffered a harm from their lack of due diligence then I would have cause for action. Just a thought.....

are in the same boat as the VA people.

You also might to look into a fraud alert from the credit card companies. It's free to place an alert on your file but I went ahead a purchased the 5 dollar a month monitoring service. I've been so good and working to get my FICO score up that I feel better with the monitoring service. The fraud alert only stays on your file fo 90 days but you can place it on again, if needed.

I know I can get one free report every year, but I have to pay to find out my credit score. Seems like that information is available to everyone but the person it pertains to.

or not! yikes!

On another note:

http://www.projo.com/news/content/projo_20060602_ymca2.22057e68.html

Stolen computer held data on 65,000

A laptop taken last week from the YMCA offices in Providence had credit-card,
debit-card and Social Security numbers, as well as
names, addresses and medical information about children in daycare programs.

01:39 PM EDT on Friday, June 2, 2006

BY PAUL EDWARD PARKER
Journal Staff Writer

PROVIDENCE --

A laptop computer containing personal information about thousands of YMCA members from across
Rhode Island and in Seekonk, Mass., was stolen last week, a YMCA spokeswoman said yesterday.

The laptop, taken from inside a locked office at the YMCA's administrative offices on
Richmond Street, contained credit-card and debit-card numbers, checking account information,
Social Security numbers, the names and addresses of children in YMCA daycare programs and
medical information about the children, such as allergies and the medicine they take,
according to spokeswoman Michelle A. Riendeau.

In all, slightly more than 65,000 members are affected, although the type of information about
each person varies, Riendeau said. Those whose information was stolen include members of the
Greater Providence YMCA, as well as the YMCAs in Pawtucket, Smithfield and Woonsocket, agencies
that receive services from the Greater Providence YMCA. Greater Providence has 10 branches
and facilities in Barrington, Cranston, North Kingstown, Providence, Seekonk, South Kingstown
and Warwick.

Riendeau said she did not have a breakdown of how many people from each YMCA are involved.

Riendeau said the information is behind two walls of security. She declined to be more
specific, except to say that it is not routine computer security. She said the laptop's
absence was noticed May 24 when another laptop, also stolen, was to be transferred to
another branch. Nothing else was taken. According to Riendeau, the police said that the thief
broke into the building and into the office, both of which were locked.
The police do not suspect the thief was someone who works at the YMCA, she said.

Riendeau said the YMCA is not aware of any indication that any of the stolen information has
been misused.

That might not be comforting, according to Beth Givens, director of the Privacy Rights Clearinghouse, in San Diego, Calif.
"Over half of the victims of identity theft don't know how it happened to them," said Givens,
adding that it would be impossible to know for sure whether information from the laptop was misused.

Fortunately, laptop thefts tend to be petty crime, Givens said.

"Probably, somebody just wanted the hardware. They wanted the computer, not the data," she said.
"It was probably a drug addict who wanted to make a few hundred bucks on the street."

Riendeau said the stolen computer was used only occasionally.
The data had been placed on the laptop in order to test software. The YMCA has other copies
of the data for use in day-to-day business, and the theft did not interrupt operations.

She said most of the financial data on the laptop came from face-to-face transactions,
though a few were from a new service that allows people to renew their memberships online.

Although the theft was discovered last week, it was not made public until yesterday because
the YMCA had to determine what information was on the missing laptop and had to report it to authorities.
The YMCA is notifying all people whose information was on the laptop, according to President Susan Rittscher.
Those who have questions can call the YMCA at (401) 521-9622.

Riendeau said the YMCA has hired a security expert to review its operations...

... more at link

------------------

Now that is even more scary! The children's information was stolen!!
Gheesh!

When I was required to take a laptop home, it didn't put the company out of business if it got stolen because you couldn't do any work outside the office without logging on to the company network. There's no reason to be walking around with that kind of data on you if you can access it once you've reached your destination!

On the other hand, I certainly don't believe these thefts is the work of some very clever black market theives. Perhaps the NSA has come up with another way of getting data via electronic snooping and blackmail.

:crazy:
rocknation

there is just too many to be happenstance

this IS batshit crazy, I agree!


www.cafepress.com/warisprofitable <--- check it out! stickers & shirts very well designed!

They have no information on me or my credit card that was used. In fact they have the wrong telephone # in their database. I was able to log into my hotels.com acct. and found this to be the only info. they have on me - my name and address and that is it.

This info. can be found all over the www like zabasearch.com and privateeye.com just to name a couple.

In any event, they had no credit card info. stored on their site I am happy to report.

:kick: