Recently the news broke that hotels.com had the personal data for hundreds of thousands of their customers stolen, and it turns out Greg Hughes was one of those customers affected by the theft. Greg just so happens to be an IT security expert and the whole situation has him downright angry, and rightly so. The customer data in this case, and in many others as well, was stolen when a laptop that was left in an employee’s car was taken. I am never in favor of additional regulation of businesses but is it going to take passing a law to prevent companies like hotels.com from putting confidential customer databases on mobile computers that can be carried right out of the company building and stolen? How many times are we going to repeat episodes like this before somebody does something to stop it from happening again? Greg uses the perfect word to describe this situation, a word that normally sends shivers down the spines of corporate legal departments, negligence. How else would you describe this other than sheer stupid negligence on the part of the company that collects sensitive data from customers and then takes such a cavalier attitude about protecting it?
Making matters worse the data theft occurred in February and no one was notified until 3 months later. What? In a time when identity theft in the US is at shocking levels and companies just carry the private data out in public and then bury their head in the sand when something happens? I can see the meeting that took place that made this possible. Executives sitting around the conference table and Manager X proudly proclaiming to the audience that the “entire customer database can be carried into the field where it will be instantly accessible, saving us thousands of dollars of network infrastructure” while the entire group nods in agreement over such a brilliant cost-saving idea. This from a company that no doubt has policies prohibiting employees from plugging USB flash drives into corporate PCs to prevent anyone from taking company property (files) home with them. Unbelievable. The same scenario is taking place over and over again with nobody trying to stop it. As Greg points out, 84,797,096 individuals are known to have their sensitive data lost in data breaches so far. It sounds like it’s time for a law, if that’s the only way to force these companies to take better care of their customers. And that’s us, people.