Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Ernst & Young accused by Canadian used computer dealer of data breach

Ellen Messmer | Sept. 11, 2014
A used computer dealer in Canada claims he discovered a trove of Ernst & Young customer business data on Dell servers bought back in 2006 -- and he wants the global consultancy to pay him to return the data. But is the breach for real or just a hoax?

"Mr. Morris has repeatedly threatened to sell the servers (including the data that he claims exists on the server) to a third party," states an affidavit from Elizabeth Kiss, chief compliance officer and privacy officer at the Canadian member firm of Ernst & Young, which was filed in July.

According to that affidavit, Morris approached a former Ernst & Young partner in June to tell him that a law firm, a data company and an M&A advisory firm were interested in acquiring the alleged Ernst & Young data, with bids for it supposedly reaching $1.2 million.

Morris says he's contacted some of the customers and "demonstrated to the customers what data I have." The court filings also indicate Morris has said he sold the second server he allegedly bought to a law firm, which would consider selling it, through him, to Ernst & Young for $320,000.

"Denying something doesn't change the facts," says Morris in e-mailed remarks. "I have the data and have provided proof and a full list of names." Morris is believed to have stored copies of the sensitive data on a number of devices he has.

At this point, an order from a Calgary court requires Morris to provide Ernst & Young's legal counsel with copies of the alleged data and the primary server's serial number by Sept. 15. By Sept. 30, he's supposed to give inspectors from Ernst & Young, such as computer forensics specialists, access to the servers and devices that Morris controls that might have any Ernst & Young data stored on it.

Today, Morris said in a phone call he does intend to comply with the order, and he expects the meeting with Ernst & Young to take place in a warehouse he has. Morris says he anticipates Ernst & Young to start going through the data he has and deleting any associated with Ernst & Young, which he says is quite a lot. His time is worth money, says Morris, and he claims Ernst & Young has agreed via an e-mail exchange to pay him $1,500 per day to cooperate with the data inspection. Morris says he does about $300,000 annually in used computer equipment sales.  

For Ernst & Young, there's the gnawing possibility that Morris isn't bluffing.

"They say if the data exists on the server, then it was by mistake," says Morris, who contends what he has includes a lot of sensitive financial information on businesses that all adds up to a significant data breach. Whether that's true or not could become clear in a matter of weeks.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.