Ernst & Young loses 250,000 credit card numbers on laptop

Bad publicity shows why firms must have security and policies to protect data and devices

Firms have been reminded of the need to protect data on mobile devices and elsewhere after an auditor from Ernst & Young lost a laptop containing highly sensitive client information.

The names, addresses and credit card details of almost a quarter of a million Hotels.com customers were on the laptop stolen from a locked car in the US, according to reports.

In a letter sent to its customers Hotels.com said, "The computer contained certain information about customer transactions with Hotels.com and other sites. This information may have included your name, address and some credit or debit card information you provided at that time."

Such losses are embarrassing, but also have wider implications. Legal experts said firms have a legal responsibility to ensure the security of their clients’ and customers’ data.

“In the UK there is a general obligation within the Data Protection Act that a business must apply technical and organisational measures to guard against security breaches,” said Struan Robertson of law firm Pinsent Masons.

Robertson said that firms should encrypt data, and use more sophisticated safeguards than a simple password. He also advised that staff should never take laptops off company premises if they contain sensitive data of the sort lost by Ernst & Young.