Lost Ernst & Young laptop exposes IBM staff

Oops, we did it again


Exclusive Ernst & Young has lost another laptop containing the social security numbers and other personal information of its clients' employees. This time, the incident puts thousands of IBM workers at risk.

Ex-IBM employees are also affected.

The Register has learned that the laptop was stolen from an Ernst & Young employee's car in January. The employee handled some of the tax functions Ernst & Young does for IBM workers who have been stationed overseas at one time or another during their careers. As a result of the theft, the names, dates of birth, genders, family sizes, SSNs and tax identifiers for IBM employees have been exposed.

The husband of one IBM employee has provided The Register with an exclusive copy of the letter Ernst & Young mailed out to the affected parties. This particular letter did not arrive until 8 March - two months after the theft.

Neither IBM nor Ernst & Young have returned calls seeking comment.

Last month, The Register revealed that another Ernst & Young laptop theft had exposed the social security number and other personal information of Sun Microystems CEO Scott McNealy and an unknown number of other people. Since our story ran, a Cisco employee informed us that his data was on the same laptop as the one containing McNealy's information.

The loss of the IBM data outraged Jeff Moran, the husband of the IBM worker told of the data breach.

"Ernst & Young has a policy that this type of information is not supposed to be on a laptop," Moran said. "Yet, these guys download the data because it's convenient for them."

"All of our information is out there, and they didn't bother to tell us until March. By that time, the thief would have already used the information. This is an outrage, but until Congress starts punishing these guys, nothing will happen."

The letter from Ernst & Young states that the company does tax work for current and former overseas workers of IBM. In this role, the auditing firm needs information such as an employee's address, family size, US social security number and tax identification number. It then holds onto this information for at least seven years.

"The employee whose laptop was stolen is part of a group in our tax practice that works regularly with historical data files, assisting our Global Mobility and other tax professionals with data conversion, formatting and analysis," Ernst and Young wrote in the letter. "In connection with his job, the employee ran reports, which result in files being created on the laptop.

"We have determined that the laptop contained various personal information for a select number of IBM employees. Among the items of information included for some or all of these employees were name, address, US social security number, email address, and country where stationed."

Nothing short of a nirvana for an identity thief.

Ernst & Young has offered those affected a free, 12 month credit monitoring service provided by Experian. The service includes a hotline that IBM employees can call. Moran made such a call and found the staffer to be most unhelpful.

"I left my name and number and no one called me back for ages," he said. "Then the guy says that this will never happen again in the future. So, I pointed out that they had lost McNealy's information after our thing happened. He didn't have a response to that."

We called the Ernst and Young hotline for IBM employees and asked if it was the right place to ask about the IBM workers who had their data exposed via the laptop theft. The employee responded with a curt, "yes" but would provide no other information.

Ernst and Young's letter to IBM stafferFollowing the Sun/Cisco incident, Ernst & Young filed a police report in Miami, noting that it had lost four more laptops. Its employees left the systems in a conference room when they went out for lunch. A security camera at the conference center showed that it took all of about five minutes for two people to steal the laptops.

Ernst & Young maintains that the laptops are password protected and do not pose a significant security risk.

But such statements have not impressed security experts following the story.

"For a big four firm consisting of auditors and compliance professionals to say such a thing is very revealing of their lack of understanding and ignorance of security controls (and how to defeat them)," wrote one Register reader.

"I work for a information security consulting company and we routinely demonstrate to our customers how simple it is to circumvent/bypass/subvert security controls in order to gain access to personal computing devices -even those that are deemed to be secure as a result of the implemented security - BIOS password, hard drive password, OS password, strong authentication, etc."

Other readers backed up this sentiment, saying that their experience with the big four accounting firms shows that the companies rarely encrypt data on laptops or use sophisticated security measures.

Ernst & Young continues to avoid copping to these incidents in public, preferring for us and police blotters to expose the details. It's unclear how many more laptops have gone missing and have not been reported, and the company's security measures seem disconcerting to say the least for a company that specialises in accounting and auditing. Ernst & Young often gets paid to assess how well clients are complying with government policies around data protection and how forthcoming these clients are with discussing data breaches.

Ernst & Young has yet to return our calls seeking information about what is being done to prevent future losses, whether this data should have been on laptops in the first place and if anyone has been held accountable for the string of breaches. ®


Other stories you might like

  • Google sours on legacy G Suite freeloaders, demands fee or flee

    Free incarnation of online app package, which became Workplace, is going away

    Google has served eviction notices to its legacy G Suite squatters: the free service will no longer be available in four months and existing users can either pay for a Google Workspace subscription or export their data and take their not particularly valuable businesses elsewhere.

    "If you have the G Suite legacy free edition, you need to upgrade to a paid Google Workspace subscription to keep your services," the company said in a recently revised support document. "The G Suite legacy free edition will no longer be available starting May 1, 2022."

    Continue reading
  • SpaceX Starlink sat streaks now present in nearly a fifth of all astronomical images snapped by Caltech telescope

    Annoying, maybe – but totally ruining this science, maybe not

    SpaceX’s Starlink satellites appear in about a fifth of all images snapped by the Zwicky Transient Facility (ZTF), a camera attached to the Samuel Oschin Telescope in California, which is used by astronomers to study supernovae, gamma ray bursts, asteroids, and suchlike.

    A study led by Przemek Mróz, a former postdoctoral scholar at the California Institute of Technology (Caltech) and now a researcher at the University of Warsaw in Poland, analysed the current and future effects of Starlink satellites on the ZTF. The telescope and camera are housed at the Palomar Observatory, which is operated by Caltech.

    The team of astronomers found 5,301 streaks leftover from the moving satellites in images taken by the instrument between November 2019 and September 2021, according to their paper on the subject, published in the Astrophysical Journal Letters this week.

    Continue reading
  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading

Biting the hand that feeds IT © 1998–2022