TRAVEL INSIDER

On holiday? Be wary -- identity thieves could be lurking

By James Gilden
Special to The Times

June 18, 2006

EXPERIENCED travelers know it's critical to keep important documents, cash and credit cards close at hand to keep them out of unscrupulous hands. Nothing can spoil a vacation faster than the theft of your passport or money.

Nothing, that is, except the theft of your personal information.

More than a third of the 686,000 complaints that the Federal Trade Commission received in 2005 were about identity theft, making it the No. 1 reported problem. Although many of us have heeded the warnings to guard our Social Security numbers and shred documents that contain sensitive information, two recent incidents have given travelers pause.

Last month, Hotels.com notified 243,000 customers that their names, addresses and credit card information had been compromised when a laptop with that data, belonging to an employee of the accounting firm Ernst & Young, was stolen from a parked car in Texas. (Ernst & Young was performing a routine audit of online travel agency Expedia, the parent company of Hotels.com.) Most of the customer information was from transactions in 2004, although a few were from 2002 and 2003.

Although the theft occurred in February, Ernst & Young did not notify Hotels.com until May 3. Notices to affected customers were mailed May 26.

In explaining the delay, Ernst & Young spokesman Charles Perkins said, "There was a great deal of data on the computer, and it took an extensive analysis to identify it." No other sensitive customer data were lost, Perkins said.

In a letter sent to affected customers, Ernst & Young said it believed that the theft was random and that the specific information was not targeted. Law enforcement personnel were notified, and no illegal activity has been associated with the theft, Ernst & Young said.

The computer was password-protected, but the information was not encrypted — that is, it was accessible to anybody who could get past the password. The data on all 30,000 Ernst & Young computers have since been encrypted, Perkins said.

Why the data were on a laptop outside the office is another question.

"We have a large mobile workforce that often works with their laptops in our client offices and other locations," Perkins said.

That answer doesn't satisfy at least one consumer advocate.

"The 'why' question is never addressed," said Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization.

"Why was this sensitive data in the car in the first place? It makes them look more negligent than they are already perceived as being."

Givens was one of the affected customers and received a letter from Hotels.com.

"It didn't really explain much," she said. "None of those letters give much information to the affected individual."

Ernst & Young is providing affected customers with a toll-free hotline to answer any questions as well as free credit monitoring for a year.



Although the data did not include Social Security numbers, which is the key to successful identity theft, customers should still take advantage of the free credit-monitoring offer, Givens said.

"I don't think [identity theft is] a potential risk unless there is something they're not telling us," she said. "Usually, people want to monitor their credit when there is potential for fraudulent new accounts."

Travelers should also be careful where they discard boarding passes, because some contain information.

This spring, data security expert Adam Laurie performed an experiment for the Guardian newspaper in London. Using only the information on a British Airways boarding pass found in the trash at a London train station, he bought a ticket in the passenger's name and accessed his information using the frequent-flier number on the boarding pass. Never asked for a password, Laurie was able to access the passenger's passport number, issue date, issuing office, nationality, country of residence and date of birth.

"The security flaw was due to an interaction between B.A.'s collection of data for both their loyalty program … and advance passenger information," Laurie, technical director of the Bunker, a hardware and software security firm based in Kent, England, said in an e-mail interview. (Advance passenger information is a program of the U.S. government that gathers data on foreigners traveling to the U.S.)

Laurie said he had not tried to reproduce these results on other airline websites, and British Airways said it corrected the security flaws on its site. Still, Laurie urged caution when discarding documents that contain identifying information.

"Any channel by which personal information can leak and/or be exploited should be taken very seriously," he said.

Here are some tips offered by the Privacy Rights Clearinghouse:

•  Clean out your wallet before a trip. Remove unnecessary credit cards, your Social Security card and other unneeded documents that could compromise your identity if they are lost or stolen.

Remove documents such as insurance or Medicare cards that have Social Security numbers as part of the identifying information. Make photocopies and black or cut out the last four digits of the Social Security number and carry that with you.

Photocopy or make a list of the remaining contents of your wallet. Keep a copy of that list in a secure location and with a trusted individual you can contact in case your wallet is lost or stolen.

•  Do not leave your wallet or any documents containing personal information in your hotel room. Use a hotel safe.

Use traveler's checks (which don't contain personal identifying information) or credit cards (which usually protect their holders).

•  Don't discard your boarding passes. Not only may they contain identifying information, but you'll also need them if a mistake is made in crediting frequent-flier miles to your account. Once miles have been credited, shred the passes.

---

James Gilden can be reached at james.gilden@latimes .com.

Copyright 2006 Los Angeles Times