When are we going to stop putting customer data on mobile devices?


Recently the news broke that hotels.com had the personal data for hundreds of thousands of their customers stolen, and it turns out Greg Hughes was one of those customers affected by the theft.  Greg just so happens to be an IT security expert and the whole situation has him downright angry, and rightly so.  The customer data in this case, and in many others as well, was stolen when a laptop that was left in an employee’s car was taken.  I am never in favor of additional regulation of businesses but is it going to take passing a law to prevent companies like hotels.com from putting confidential customer databases on mobile computers that can be carried right out of the company building and stolen?  How many times are we going to repeat episodes like this before somebody does something to stop it from happening again?  Greg uses the perfect word to describe this situation, a word that normally sends shivers down the spines of corporate legal departments, negligence.  How else would you describe this other than sheer stupid negligence on the part of the company that collects sensitive data from customers and then takes such a cavalier attitude about protecting it?

Making matters worse the data theft occurred in February and no one was notified until 3 months later.  What?  In a time when identity theft in the US is at shocking levels and companies just carry the private data out in public and then bury their head in the sand when something happens?  I can see the meeting that took place that made this possible.  Executives sitting around the conference table and Manager X proudly proclaiming to the audience that the “entire customer database can be carried into the field where it will be instantly accessible, saving us thousands of dollars of network infrastructure” while the entire group nods in agreement over such a brilliant cost-saving idea.  This from a company that no doubt has policies prohibiting employees from plugging USB flash drives into corporate PCs to prevent anyone from taking company property (files) home with them.  Unbelievable.  The same scenario is taking place over and over again with nobody trying to stop it.  As Greg points out, 84,797,096 individuals are known to have their sensitive data lost in data breaches so far.  It sounds like it’s time for a law, if that’s the only way to force these companies to take better care of their customers.  And that’s us, people.




So what exactly does an Ernst & Young auditor do that requires access to customer credit card information?

And why did it take three months to notify affected customers? California statute SB 1386 requires that notice must occur in “the most expedient time possible and without unreasonable delay.”


Three months seems like an outrageously long delay. I for one will not ever do business with Hotels.com. And while I am at it, I think I’ll send Hotels.com parent company Expedia.com a letter requesting clarification on who exactly they give access to my travel and account information.

I think it’s time to not only force companies to disclose data breaches, but to fine them a sufficiently high amount per affected customer that data security simply becomes an economic necessity. How about $1000 for each lost customer record, payable to the impacted individuals?

Marc Orchant

James: In all fairness to the employees and managers of Hotels.com, it was an auditor employed by Ernst & Young who had the information on his laptop. So the situation is even worse in the sense that companies like E&Y are often retained to advise companies like Hotels.comon best practices in data security.

I don’t disagree with anything you or Greg have said. It’s a sad state of affairs when this kind of breach of customer privacy can repeat itself time and again and supposedly smart people in these companies can’t figure out how to define and implement policy to prevent it.

It’s really this simple:

1. Never store customer information (or any other confidential company information) on a laptop without encrypting the data and securing the device with two authentication factors (password + something).

2. Wherever possible, keep exploitable data like credit card and social security numbers in a separate, related, and non-portable file.

3. Use a VPN tunnel, or Secure Shell-encrypted connection to transfer information between a mobile device and a host computer.

None of the above is rocket science.

Comments are closed.