The auditor for Hotels.com is Ernst & Young, and one of their staff working on the audit had their laptop stolen from their car, compromising the credit card data of approximately 243,000 customers.
These things will happen, but what I don’t understand is whether they’re just assuming whoever stole the laptop is going to be able to crack the password that is no doubt protecting it. I have to enter two different passwords just to get into my work laptop, one to boot up and one to log in.
Am I missing something here? Are passwords not enough to protect the data? Can you just rip the hard drive out of the laptop somehow and extract the data that way? Is any data truly safe, then?
EY has pledged to encrypt sensitive data such as this in the future, so maybe that holds the key to safeguarding the intangible assets of audit clients.