Unless you subscribe to the Birmingham News, you probably missed this. Russell Hubbard reports on January 31, 2012, that, “Regions Says Employee 401k Data Lost When Auditor Ernst & Young Mailed Flash Drive and Code Key Together.” Info Security Magazine provides additional information.
Ernst & Young mailed the data from one of its offices to another. The envelope contained an encypted flash drive with employee personal identity and 401K data, and a sheet of paper containing the decryption key. During transit the envelope was ripped open. At the destination, the flash drive was gone, but the decryption key remained.
There are three documents that ProfAlbrecht is trying to obtain: (1) letter from Ernst & Young to Regions Bank explaining the incident, (2) letter from Regions Bank to its to its employees explaining the incident, (3) letter from Ernst & Young to employees.
Hubbard reports that Ernst & Young regrets any inconvenience and concern that Regions employees might experience. Both Hubbard and Info Security Magazine quote one of the Ernst & Young letters as saying, “… we deeply regret that this incident occurred,”
EY regrets that the incident’s consequences but not having caused the incident. I strongly dislike such non-apologetic apologies.
Regions has a reputation for lock-down tight data security. Unfortunately, Ernst & Young doesn’t.
I wonder if Ernst & Young will get fired over this incident.
I’ll report more on this in the future.
Debit and credit – - David