Oops. Ernst & Young just let the personal data and credit card numbers of 243,000 HOTELS.COM subscribers get stolen, via that old standby: a stolen laptop. And these people call themselves auditors, supposedly qualified to judge the accounting integrity of American business? It’s no wonder that hundreds of billions of dollars of fraud have been coming to light over the last several years.
The very fact that the data was stored on a laptop in unencrypted format is criminal negligence.
For those of you who care if your laptop is compromised if stolen, here are a couple of things you can do. E&Y didn’t do them, and now 243,000 of us are paying the price.
The Microsoft solution I don’t trust (but better than nothing)
First, if you use Windows XP Professional, you can right-click a folder and click a little box “Encrypt.” This will encrypt the files so prying eyes can’t get at them. If you suspend your laptop without logging out, however, then a thief can access the files if they resume the stolen laptop, so always log out before suspending. (Or set your laptop to require a password after suspending.)
Personally, I don’t trust Microsoft’s security. They have a 25-year track record of designing highly insecure systems, and shipping those systems pre-configured to their least secure configuration. No matter how much they say that security is now a priority, I can’t imagine that their thousands of programmers suddenly acquired the ability to write secure code after spending their entire careers not knowing how. Furthermore, they’re now creating their own anti-virus products and firewalls. Any company that makes money selling me protection against vulnerabilities they built into their own software isn’t a company I want to trust with my sensitive business data.
The “virtual encrypted disk” solution I trust
I use PGP Desktop’s “Virtual Disk” product. I create a virtual encrypted disk that I must explicitly open and enter a passphrase whenever I boot the computer. It’s a bit more work than Microsoft’s solution, but PGP has a spotless record going back 20 years for having the strongest, most secure encryption available. Originally an open-source product, their algorithms are public knowledge, so the security community can make sure the product is solid.
Anything’s better than nothing
In any event, use something. If you deal with sensitive data, you should never, ever have it unencrypted on a computer that might be physically compromised. Even if you have a password-protected laptop, the disk drive can be removed and read by a thief, so keep the data encrypted on that drive.
E&Y should have done that. Heck, E&Y should never allow an employee to touch a computer that hasn’t been made as iron-clad as possible. (They probably let their employees connect to unencrypted wireless networks while traveling. Conveniently, that lets a thief simply sit in an airport boarding lounge and grab sensitive data out of the air.) You do better. Get secure. There’s no reason to do otherwise.