Shostack + Friends Blog Archive

Laptop theft

The Register has been on Ernst & Young’s case. The latest Exclusive! talks about a laptop stolen in early January, and how we now know it had info on BP employees, along with those from IBM and others.
The article also observes that:

It’s difficult to obtain an exact figure on how many people have been affected by Ernst & Young’s security lapse given that it won’t say anything on the subject.

The number, as we reported 10 days ago, is 84,000.
The figure was reported to the New York State Consumer Protection Board by E&Y on February 10, 2006.
The laptop contained, according to E&Y’s report to New York officials:

files relating to a number of Ernst & Young corporate clients, and that these files contained various personal information relating to employees of those clients. [Ernst & Young] also determined that the laptop contained a separate file with the names and Social Security numbers of individuals for whom Ernst & Young provided services.

That letter goes on to explain that E&Y is working with their corporate clients to notify the relevant individuals impacted by the disclosure of the corporate files, and is itself notifying the individuals whose information was in the other file.
This may explain why, in an earlier report to NY’s Consumer Protection Board, AG’s office, and the Office of Cyber Security and Critical Infrastructure Coordination, Goldman Sachs described a loss of info by E&Y which exposed info on about 9000 Goldman employees and dependents. It seems that this loss was due to the same laptop theft.
IANAL, so I can’t say whether the legal responsibility to notify those potentially affected lies with E&Y’s corporate clients or with E&Y. Perhaps the shortage of information on this has something to do with that aspect of this particular incident.

Originally published by cwalsh on 23 Mar 2006
Last modified on 2 Aug 2018
Categories:   breach analysis   Legal