More than 240,000 Hotels.com customers are at risk for identity theft after an unencrypted laptop containing their personal information was stolen from the locked car of an Ernst & Young (E&Y) employee.
Ernst & Young officials reported the theft, which occurred in late February in Texas, to Hotels.com on May 3, said Cathy Bump, the lodging website’s senior compliance officer. Hotels.com is sending letters to the affected customers.
Personal data on the computer, including names, addresses and credit card information, pertained to transactions made around 2004, Bump said. However, company officials have no reason to believe any of the information – which was being audited by Ernst & Young – has been misused, she said.
"We just know the laptop was stolen," she said. "E&Y has taken full responsibility for the incident."
A statement from Ernst & Young expressed regret for the incident.
"The security and confidentiality of our client information is of critical importance to Ernst & Young and we regret any inconvenience or concern this incident may have caused Hotels.com and their customers. The crime appears to be a random theft, and we have no indication that the thief was specifically targeting the laptop or any information contained on it," the statement said.
Hotels.com imposes certain requirements "with third parties with whom we share data," Bump said. "Obviously there was the expectation that the data would be kept confidential and secure. Obviously that did not occur."
Bump said Ernst & Young computers now all are all encrypted, but they were not at the time of the theft. The stolen laptop was, however, password protected and contained several levels of access requirements to reach the personal data.
Bump also expressed some disappointment over the time it took for the international accounting firm to notify Hotels.com about the theft.
"We certainly expressed some frustration to E&Y as to the length of time," she said. "We understand it did take them some time to establish whose information is on that laptop."
Hotels.com, in conjunction with Ernst & Young, established a call center to answer any questions from affected customers. In addition, the company offered customers one year of free credit monitoring.
"We obviously take this very seriously, and the trust of our customers is very important to us," Bump said.
This is at least the fifth Ernst & Young laptop stolen this year. Four machines were stolen in February when a group of auditors left their laptops in a Miami conference room as they went to lunch, according to published reports.
And a fifth device containing Social Security numbers of some high-level customers, including former Sun Microsystems CEO Scott McNealy was also lost.