Data containing the names and credit card
information of more than 200,000 Hotels.com customers has gone missing,
according to officials from the travel retailer, and the site is
working with law enforcement to recover the information.
Hotels.com added
the data theft was not related to a hacker breaching the sites
security. Instead, the breach involved information from the site
stored on a laptop computer used by an employee of Ernst &
Young, an auditing firm that at some point apparently went
missing.
It was actually a
financial services audit, Cathy Bump, Hotels.coms senior compliance
officer told TravelWeekly.com. It is routine to provide financial
and transactional information to an auditor.
Ernst & Young
informed Hotels.com on May 3 that the laptop was unaccounted for in
late February. Hotels.com, an operating company of Expedia, Inc.,
said the missing data was limited to its customers.
Bump said
Hotels.coms auditing data contained the names, addresses and
information pertaining to at least one credit card for 243,000 of
the Web sites customers.
We are taking the
incident very seriously, said Bump, but she noted the situation was
different from an actually
incident of identity theft where enough information is pilfered to
essentially allow someone to financially assume the role of someone
else.
In this case, Bump
said, the potential fraud should be limited to particular [credit]
cards.
We have notified
the customers [by letter] and we are advising them to monitor their
credit card statements, and contact their card companies if they
see any suspicious or unauthorized charges, Bump said. Weve
contacted law enforcement and we are working with them to monitor
whether anyone has misused the data.
In addition,
Hotels.com is offering the option of free credit monitoring to
affected customers.
So far, Bump said,
there has been no evidence of misuse. We are reassured at this
point to see that there is no evidence of any misuse of the data
and we will continue to monitor it.
Hotels.com and
Ernst & Young have also established two hot lines to aid
customers: (866) 387-2242 in the U.S. or (201) 872-0169 for those
calling from outside the U.S.
Hotels.com joins a
wide array of companies that have fallen victims to incidents of
lost or stolen data.
In January,
Marriott Vacation Club International said computer tapes containing
credit card information and other data on some 206,000 of the
companys 250,000 timeshare owners and customers went missing from
its offices.
Other companies
ranging from Lexus Nexus to the Ford Motor Company, as well as
educational institutions have had similar incidents.
The Federal Trade
Commission estimated in a 2003 report that some 10 million
Americans have been directly impacted by data theft.
The focus clearly
has been on online security, but in fact if you monitor the
breaches that are occurring periodically, it is really not online
focused, said Bump. The fact that a transaction occurred initially
online verses offline really doesnt have such a great impact on the
chances that there ultimately might be a breach. So I dont think
this is a statement at all about online security.
Hotels.com places
great emphasis not only on our internal security practices but also
monitoring and assessing the security practices of our vendors,
which we do on an ongoing basis, she added. This points to the
importance of doing that.
To contact
reporter Michael Milligan, send e-mail to [email protected].