Slashdot Mirror
Ameritrade Customer Data Lost
Rollie Hawk writes "Continuing the recent trend of customer data blunders in the news, Ameritrade has announced the loss of the personal data of up to 200,000 customers. The suspected cause is a routing error, but not the network kind. The online discount broker admitted that a backup tape of customer account data from 2000 to 2003 has been misplaced. They claim the cause is an error on the part of a shipping company. The tape was identified as missing in February, soon after being shipped. According to spokeswoman Donna Kush, nothing suspicious has been reported. Further blaming the shipping company, she explained that "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor." It's doubtful that current and former customers with exploited information will care how this occurred. She further claimed that Ameritrade "has every reason to believe" that the tape has either been destroyed or is being held by the shipper. There's no word yet on how they arrived at this conclusion."
I mean, it's probably more likely that some law got passed in the past few years that's forcing companies to highlight all these incidents of compromised data, but it seems pretty spooky that we just recently hear about all these stories...
Make sure everyone's vote counts: Verified Voting
action soon.
If date is being transported via a 3rd party carrier, wouldn't it make sense to encrypt the data first?
Luckily it was insured against loss and Ameritrade will be recieving a check for $100 dollars!
oh HooRay!
Starsucks
It's doubtful that current and former customers with exploited information will care how this occurred.
While I would be upset if this was my personal information, if Ameritrade did what they were supposed to do (as in ensuring the shipping company was a decent company) then I would not be so uptight about the situation. People like to scream, shout and vent. Shit happens. If someone was grossly at fault they should be flayed, if it was a pure accident (as such things happen) well it is what it is.
I mod down so you can mod up. Your welcome.
One ought to be more careful in this Post-9/11 world.
Iran captures three CIA agents
A feeling of having made the same mistake before: Deja Foobar
This is happening all the time now. Here's another:
http://news.bbc.co.uk/1/hi/business/4444477.stm
So, they lost the data and in transit the backup tape was lost. Hmmmm.....nothing suspicious to see here kids..please move along
You can get more with a kind word and a gun than you can with a kind word alone. - Al Capone (1899-1947)
Once again, let me suggest that it may be time to legislate significant penalties for companies and/or individuals who are careless with personal data.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Thankfully, all my tech stocks have tanked and there are no more assets to attack. As a matter of fact, I'm more likely to get sued by identity theives for ruining their reputations and credit ratings.
I remember a while ago I heard that the largest data transport method was the US mail, and by a wide margin. Is this still the case? This may open up an entire new world to identity thieves, if it was not already open.
If we can't count on the companies who handle our money to protect our credit, who can we count on?
This sig has been removed pending an investigation.
My favorite:
i tr ade/
"the missing back-up tape contained compressed data that would require very advanced computer systems to access."
http://money.cnn.com/2005/04/19/technology/amer
Note she did not say encrypted. Modern tape software is often intelligent enough to recognize not only its own compression algorithms, but also formats and algorithms used by other vendors. Maybe Ameritrade thinks they are one of the only companies in the world utilizing LTO, or maybe LTO-2?
Technically someone is in possession of the tape until their is reason to believe otherwise.
We could then refuse to do business with those companies on the grounds that they were obviously lying.
-- Nothing unusual happened today
"...Further blaming the shipping company, she explained that "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor."
Ah, no.
This is squarely the problem of Ameritrade management. Protection and recovery of backup data rests squarely with IT. There should have been a detailed process done in conjunction with a reliable shipper to ensure protection ( or perhaps a private courier ) of the tape.
Yet another clueless corporation that has no sense of responsibility.
So that's what is on that tape that my grandmother just received randomly from FedEx...
"You talkin' shit?" -- krapper
There are. GLB (Safeguards Rule), FACTA (Disposal Rule)...
One man's Funny is another man's Offtopic.
And they were careless in what way exactly?
What is she on? How is this not an issue? If the data had been properly encrypted, it could have been lost with no danger of the data falling into the wrong hands. Ameritrade decided the data was not worth encrypting, and then lost it.
Even if they couldn't be bothered to encrypt the data, they then shouldn't have shipped it the way they did. They should have shipped the data in a
briefcase handcuffed to a trusted courier.
This is most definitely a failure, and a significant one at that. I am saddened that Ameritrade doesn't have the decency to own up to their mistakes. In Canada, they could be charged under the PIPED Act.
Oceania has always been at war with Eastasia.
Got a letter last week from American Century that 2 PCs had been physically stolen form the American Century office containing account information -- names addresses, balances, but no SSNs.
I am not a crackpot.
that the walkman I lost on my Grandmother's land (the several acres of it), when I was seven years old, is still there. Although she passed away several years ago and someone purchased the land for farming and have tilled the entire lot, I have every reason to believe that it's still there.
Well, at least I have every reason to believe that it was destroyed.
...about how the data was lost. It's a little bit difficult to get angry about a lost package in the shipping process. It happens. It's always going to happen. It's rare, though. I'd be a little pissed off if this was due to a network breach at Ameritrade. As it is, I'm not too concerned. So, yeah, it DOES matter how the data was lost.
...for using a Nigerian shipping company.
Further blaming the shipping company, she explained that "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor."
No, it's an Ameritrade-picking-a-bad-vendor issue. It is still ultimately Ameritrade's fault.
Just ask Israel for a backup.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
If it's that important, maybe it shouldn't be entrusted to Puck from the Real World San Francisco.
Appearently, "there oughta be a Law." If everyone is going to turn around and say, "I didn't do it!" then the rest of the market needs a device to hold them accountable. Seriously, everyone in that chain of events DID do it. And in fitting "social darwinism" fashion, as any good economist would tell you, they should be destroyed utterly for their failures.
The dumbass executive who decided to use Ganja Security (A Fly-by-Nite subsidiary) probably got a giant bonus for "saving" Ameritrade so much money, instead of fired and sued. Likewise the company that losted the tape pandered to the stockholders how much money they saved by hiring illegal immegrants. It's called integrity, now it's dead, and it used to be America's competitive advantage.
So I've been creating a list of all the major cases I've heard about in 2005. Nearly 1.3 million people have been affected so far this year. Of course now Slashdot won't let me post the information because I have "too few characters per line."
r ade/
/ a/2005/04/14/financial/f064639D31.DTL
/ archive/2005/04/08/financial/f115753D39.DTL
0 05/03/29/BAG3MBVSFH1.DTL
h ed&ctrack=1&cset=true
I originally posted an expanded version of this list on my blog to start keeping track of everything.
Here is basically what it looks like:
Date: 04-18-2005
Name of Organization: Ameritrade
How: Lost backup tape with shipping agency
People Affected: 200,000
Link: http://money.cnn.com/2005/04/19/technology/amerit
Date: 04-14-2005
Name of Organization: Polo Raplh Lauren - Mastercards
How: "Security Breach" - Hackers
People Affected: 180,000
Link: http://www.sfgate.com/cgi-bin/article.cgi?file=/n
Date: 04-08-2005
Name of Organization: San Jose Medical Group
How: Stolen Laptop
People Affected: 185,000
Link: http://www.sfgate.com/cgi-bin/article.cgi?f=/news
Date: 03-29-2005
Name of Organization: UC Berkeley
How: Stolen Laptop
People Affected: 98,000
Link: http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2
Date: 03-26-2005
Name of Organization: Northwestern University
How: "Security Breach" - Hackers
People Affected: 21,000
Link: http://www.chicagotribune.com/technology/
chi-050 3260274mar26,1,5138021.story?coll=chi-technology-
Anyway, this is definitely getting ridiculous and out of hand. And it seems we're pretty much helpless to control it as well. When are a lot of these companies going to stop requiring valuable information like social security numbers and such?
There is no excuse not to encrypt all backup tapes anymore where sensitive data is involved. There are appliance-style products out there specifically for encrypting tape backups, if you can't figure out another way.
And I'm sure there are plenty of SW solutions also.
This kind of crap has been happening too often.
I hate to say we need a law, but we need a law.
Just shoot the messenger. Age old solution.
doesn't mean they haven't lost it, but failed to report it in such a way that the media passed it on.
We're dealing with a very small subset of firms that have either been forced to admit, or have voluntarily admitted, data loss of customer records and personal data collected either with or without permission.
The number of firms that haven't admitted it, but have had it happen, is a LOT bigger.
-- Tigger warning: This post may contain tiggers! --
Yes! Because more unenforced legislation similar to HIPAA will make all the difference. After all, leaking of personal medical records is now completely a thing of the past! Just because these laws tend to have loopholes up the wazoo shouldn't be any consern as long as the name of the law makes it sound like things will change.
"The trust of our clients is our most precious asset. Protecting your privacy and safeguarding your personal and financial information is one of our highest priorities."
"You talkin' shit?" -- krapper
I work for a company that designs and builds devices used in the medical industry. If we use a third party for hardware or software, we have to verify and vouch for that software. If a patient gets hurt because some 3rd party app did something wrong, the 3rd party doesn't get sued, we do. It should be the same for personal data. Ameritrade should have made sure the data was secure, whether it was in their hands or not. If anyone's identity gets stolen, or they get ripped off in any other way, Ameritrade should be liable for the loss plus damages! As should all of the other companies that are losing personal data.
Let's see if you can spot the carelessness here.
the only solution is the eradication, entirely, of the notion of 'personal data'. by that, i mean: you personally should be recording everything, not just the company. both sides should have their full records, for there to be 'fairness'.
until there is such a common, accepted, standardized practice, there will always be a mis-balance of corporate-Entity(knowledge of individuals) versus indepent-Entity(knowledge of corporate state). the reason we hate big brother is because we have no control over him; we'd accept his conditions, if turnabout was enforced by the state, and we had just as much public oversight of government as 'it' does 'us'.
from now on, simply record every single thing you do, anything thats a part of an agreement made with some company, yourself. save every single thing 'they' print you, put it in your system so that you data-mine them. use your digital prowess to record as much of your 'person->corporation' interaction as possible.
do it for a year, and then see how you feel about corporate loss of data.
its an odd thing, but in fact total-awareness is the only solution to problems of individual privacy versus corporate responsibility. its a wry old universe, doing the irony thing again..
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
Let me put on my Dr. Phil voice for a moment...So, how's that working for ya?
Bill Clinton: Pimp we can believe in. - The Shirt!!!
As someone whose company has spend many tens of millions of dollars on HIPAA compliance, I can't tell you how happy I am to hear it's not enforced! I can't wait to tell my boss! I'll bet I get a big raise this year for saving the company all that money!
Just gave them a call to close my account and I must say that they (or at least the person I talked to) was well versed on the talking points from the press release.
1) Blame third party
2) Data is not lost, we just don't know where it is
3) There has been no evidence of the data being used
The woman I spoke with was pretty adamant about making these points and really tried to keep me from closing my account.
I am not sure if this sort of revelation usually results in a significant loss of business or not, but it would appear they were well prepared to rebut peoples concerns.
"Oh, you hate your job? There's a support group for that, it's called everyone, they meet at the bar."
I think they were refering to XP's built-in support for zip files.
I'm pretty sure Codependents Anonymous hasn't lost any personal data, lately. I'm also sure that they'd LOVE to take absolute control over everyone else's security. Hell, let them. They can't do any worse.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
http://www.firstcoastnews.com/news/georgia/news-ar ticle.aspx?storyid=35796
"ATLANTA (AP) -- D-S-W Shoe Warehouse officials estimate that thieves stole one-point-four million credit card numbers."
The Unknown
As we know,
There are known knowns.
There are things we know we know.
We also know
There are known unknowns.
That is to say
We know there are some things
We do not know.
But there are also unknown unknowns,
The ones we don't know
We don't know.
http://slate.msn.com/id/2081042/
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Isn't that word just, like, wrong? Isn't the politically correct thing to do in the US to use gender-neutered (oops, gender-neutral) words, like spokesperson?
You ***ENCRYPT*** [and authenticate] your backups.
So that even if you lose the media you don't leak the data...
Of course you have to be a Community College grad to figure that out.
I R SMRT!
Tom
Someday, I'll have a real sig.
At a former financial employer, I didn't hesitate to put encryption into the backup system I designed for a particular product. You have to protect the data at every single failure point, including those of the "whoops, where did we put that tape?" kind.
As someone whose company has spend many tens of millions of dollars on HIPAA compliance, I can't tell you how happy I am to hear it's not enforced! I can't wait to tell my boss! I'll bet I get a big raise this year for saving the company all that money!
Dear Troll,
When was the last time the HIPAA Special Agents dropped by to inspect your organizationf for compliance? Never? Then it is unenforced. Thanks for playing. You can collect your parting gift at the door.
Learn to love Alaska
Security analyst, Kevin Beaver: All that's needed is just basic security policies, procedures, and common sense safeguards. This is a level of security that far too many organizations have trouble attaining - if the average organization could just implement the basics, that is, reasonable security measures proportionate to the importance of the data and its associated risks - that's often more than enough.
this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor.
The application development group still has a job! You're doing great!
The management that was involved in choosing the vendor has been sacked.
Those responsible for letting this leak into public view have been "reassigned", and will be terminated once the heat dies down.
One tape backup tape. Appears to be functional, bought from local shipping company at auction. :-P
They should have planned for a "shipping problem" with their data. Still inexcusible!
No - the only tape lost was the backup tape - Ameritrade has the original and current data.
So more specifically - the article should be titled "Copy of Ameritrade Customer Data Lost."
I clean up a bank every night which also requires me to clean up their computer room. I see dozens of tapes laying around every night. I'm the first one to get accused of taking anything until they look at their video camera tapes.
"They who would give up an essential liberty for temporary security, deserve neither liberty or security." --Benjamin F
I work with eCommerce for a living. Credit card processing requires the CC#, Exp date, CVV2 code (the digits on the back of the card) and the billing Zipcode.
Why then must we supply name, address, phone number, email, and other personal information just to make a purchase? (obvious answer is for customer profiling and contacting post-sale.)
I try to refuse to provide a SSN whenever I recocgize it isn't needed (like to establish an account at the local dry cleaners) but so often, employees become adjitated, as if I am trying to hide something.
We as consumers need to do more to protect our own personal data from getting to 3rd parties in the first place.
Now obviously Ameritrade needs such financial and personally identifying information for SEC and IRS compliance, but in that case, they should be required by an oversight body to protect that information.
HIPPA protects the privacy rights of US citizens healthcare information and has two very important rules:
(1) information must be secured
(2) only the minimal information may be collected when required and only the minimal information may be shared with those who require it.
Why doesn't this exist for SSN, bank account numbers, etc?
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
Am I the only one that thinks of equipment like that sold by Dremel when a non-network router is mentioned?
I'll come back and ask you how you're getting on in a month or two.
Deleted
"Ameritrade has every reason to believe that the tape has either been destroyed or is being held by the shipper."
And now, every bored minimum-wage handler in every depot, while not busy drop-kicking packages marked "Fragile", will be searching every corner for this extremely lucrative opportunity.
Is it time for the USPSS system, or the UPSS system? You know, like HTTPS, but for the postal system or UPS. That way you can securely send your packages using the latest in cutting edge delivery security.
mp3's are only for those with bad memories
Martha Stewart, while on house arrest, has reportedly just finished an upcoming segment for her TV show called "Hand stitching UPS & Fed-Ex uniforms."
When reached for comment, Stewart replied "Well, that is just nonsense. I have been working on these lovely little doilies with little compartments perfect for holding tape backups....I mean napkins, napkins!...In prison they call napkins "tape backups"....I'm still readjusting to life as a free money....WOMAN! FREE WOMAN!!! BLAAAARRGGGHHHH!" Stewart's voice then abruptly changed and lowered and she started cursing in an ancient Latin dialect that researchers are still trying to identify. Stewart could not be reached for further comment.
Turk: Let's play Steak. J.D.: What? Turk: Steak. The 1st person to finish their steak is the winner of Steak. -Scrubs
"this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor."
I'm so peeved when I see comments like this. When will people realize that when they hire a 3rd party vendor to complete a task they are not absolved of responsibility. This IS an Ameritrade Systems issue. They didn't encrypt their data. They didn't hire a responsible shipper. They still "own" the issue.
I did technical account management for years. One thing our group was primarily responsible for was saying "Yes, this is our issue, we will see it to resolution". Even when the blunder was caused by a 3rd party, we owned it. It was our responsibility.
Adam: It was Eve's fault!
Eve: It was the snake's fault!
George Bush: It was the CIA's fault!
Ameritrade: It was the third party vendor's fault!
I don't know about you guys, but I see a trend here...
1) Blame third party
"I don't do business with companies that cannot and will not take responsibility for what happens to its personal data (or whatever else). In the end, you are where the buck stops. Not the shipping company that you contracted."
2) Data is not lost, we just don't know where it is
"If you don't know where it is, then it is..." *drumroll*
3) There has been no evidence of the data being used
"Not that you know of...or yet."
People say I'm crazy, I got diamonds on the soles of my shoes...
+5, Funny. (I mean, come on, you guys mod a guy insightful for sayng "good point"? What's going on with you people?)
(i) The member, broker, or dealer must notify its examining authority designated pursuant to section 17(d) of the Act (15 U.S.C. 78q(d)) prior to employing electronic storage media. If employing any electronic storage media other than optical disk technology (including CD-ROM), the member, broker, or dealer must notify its designated examining authority at least 90 days prior to employing such storage media. In either case, the member, broker, or dealer must provide its own representation or one from the storage medium vendor or other third party with appropriate expertise that the selected storage media meets the conditions set forth in this paragraph (f)(2).
(ii) The electronic storage media must:
(A) Preserve the records exclusively in a non-rewriteable, non-erasable format;
(B) Verify automatically the quality and accuracy of the storage media recording process;
(C) Serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media; and
(D) Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under this paragraph (f) as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member.
Brokers are required to use a storage medium where tampering is evident. Once that was bound ledger books written in ink. Later, it was bound books of computer printouts. Then it was microfiche. Today, it's CD-ROM or DVD-ROM. But not magnetic tape. Not even for backup.
And if a securities firm outsources some of its back office operations, the outsourcing firm has to make certain filings with the SEC:
-
(i) If the records required to be maintained and preserved pursuant to the provisions of Sec.Sec. 240.17a-3 and 240.17a-4 are prepared or maintained by an outside service bureau, depository, bank which does not operate pursuant to Sec. 240.17a-3(b)(2), or other recordkeeping service on behalf of the member, broker or dealer required to maintain and preserve such records, such outside entity shall file with the Commission a written undertaking in form acceptable to the Commission, signed by a duly authorized person, to the effect that such records are the property of the member, broker or dealer required to maintain and preserve such records and will be surrendered promptly on request of the member, broker or dealer and including the following provision
...
Ameritrade needs to address these issues. As a broker, they are not allowed to be casual about record-keeping.Because it's my fault the courier truck was in a highway accident and his load was spilled over the highway, and they could not find the package containing our Backup tapes.
Clearly, that is my fault, and I need to be shot.
I lost our backup tapes once. I left them on top of my car when carrying them to the off site storage. Fortunately, or mabye unfortunately, when I went looking for them, I found that I had ran over them. User data safe, 6 dds4 tapes destroyed, huge ulcer from worrying about server crash on the day of incident.
"It's not the despair, I can take the despair, it's the hope that's killing me!"
Do you personally escort you backup tapes to wherever you store them offsite? Have you ever lost or misplaced, even temporarily, a backup tape? (Actually, I have not myself.) Are you willing to go to jail for misplacing a backup tape or having your laptop stolen when you when to freshen your latte and not reporting it to the entire world? That is the provision of the california law.
/. readers are incorporated corps? Probably a few)
This is just another attempt at collective punishment of corporations for the deliberate misdeeds of a few idiots. (ooh how we all hate corporations. How many of us
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
You're fired!
;-P
"Flyin' in just a sweet place,
Never been known to fail..."
Dear Black Pot,
HIPAA doesn't have Special Agents. However, if you bring a complaint to the Department of Health and Human Services, I'm sure you will see some action. Nice strawman, though.
Paul
If you are not allowed to question your government then the government has answered your question.
I guess Stuart, the orange-haired slacker punk has changed departments?
What you are quoting are the rules for archival storage of information (that is the rule that requires orginasations to store for 6 years data relating to their transactions for compliance purposes.) This does not apply to all information retained by brokers (but to specific transactional related data), and it most certainly does not apply to regular backup procedures
I have been an Ameritrade customer since they ought Datek. I'd like to move somewhere where they will help a little more with Tax preperation. Are there on-line brokerages services that keep track of cost basis and report it to you? To me that would be the single biggest thing to bring me away from Ameritrade. So give me a place to go to, and I'll start closing the 4 accounts we have with them.
Think Deeply.
never underestimate the amount of data that can be lost in the back of a truck.
The Kruger Dunning explains most post on
there is a difference between backing up you data, and creating a permenant record.
The Kruger Dunning explains most post on
one: the data on the tape should be encrypted, and the key should be shipped seperately, of course. There's no reason at all to send personal data unencoded like that. It's irresponsible for a financial company to do that.
two: there should be more than one copy of the data -- especially if it's being shipped somewhere! This is very valuable information to the company. They should have multiple copies in case someone can't find a tape, or the tape simply can't be read.
Auditors find IRS employees vulnerable to hackers (3/17/05)
... claim a user identity and then use that identity to gain access to sensitive taxpayer or Bank Secrecy Act data," the report said.
More than one-third of Internal Revenue Service employees and managers who were contacted by Treasury Department inspectors posing as computer technicians provided their computer login and changed their password, a government report said Wednesday... That was a 50% improvement when compared with a similar test in 2001, when 71 [of 100] employees cooperated and changed their passwords.
IRS Flaws Expose Taxpayers to Snooping, Study Finds (4/18/05)
In all, 7,500 IRS employees, law enforcers and outside contractors can access and modify tax returns and financial-crime reports, the GAO found. A master list of passwords and user names is also widely available, the report said. "Increased risk exists that unauthorized users could
--
My Aunt sells identity theft insurance. Email me and I can put you in touch with her.
Heh... strike 5e2000 for slashdot moderators huh...
Slashdot...helping to 'uninform' the public.
While most of you probably think that FedEx or Ups and the like are reliable, you are wrong. My company ships over a thousand packages a month and there are regularly 1-2 packages lost. Just gone, no record, no trace, nothing. The shippers don't seem to think this is unusual, there are systems in place to deal with the unhappy customers. A cost of doing business. .1% of it's packages, multiply that by the number of packages they ship every day and that's a lot of shipments lost. What happens to them? Is there a lost package department? Do they just trash the leftover stuff?
I think it's interesting to say OK, so if FedEx is losing
In fact no shipper is reliable. Things can and will get lost. Just the way things are. Doesn't mean some one stole it, or if someone stole it that they would know what to do with a backup tape. It would certainly be better if the data was encrypted, but there's very little chance (impossibly small even) this fell into the wrong hands. It's probably sitting in a pile in a warehouse somewhere or crushed along side a road.
You would think that a large brokerage house would just make a copy ... or make several copies...For all we know it got shipped to some red necks house in spokane...
You know they shipped it USPS.
Even HIPPA has serious flaws. As soon as you restrict access to only doctors who need it there will be a life threatening situation where a doctor needs access but can't because of HIPPA rules.
Security like this has NO easy and NO perfect solution.
Dear valued Ameritrade customer:
Due to computers errors, we may have lost some of your informations. Please go to the following web site and verify your informations. Please do so as soon as possible or your account may be suspended. Thank you.
http:/256.123.321.201/Ameritrade.html
If a job's not worth doing, it's not worth doing right.
The so called problems of collecting the data aren't problems at all.
While we were napping while watching the Gummint for Big Brother tendencies, private companies (ChoicePoint, the 3 credit reporting bureaus et alia,) have taken over the duties of collecting the data.
The thousands of databases are for sale in an amalgamation of unregulated, internet-enabled market place. At an unprecedented pace and in unexpected ways every little detail of your lives is open to scruteny. (For more details read "No Place To Hide", by Robert O'Harrow, Jr., Publisher: Free Press, (2005), ISBN: 0-7432-5480-5 )
And what's more, these companies KNOW that their data is unreliable and has errors but they sell it anyway under the principle of "its close enough for Gummint work".
And its all legal because the private sector is NOT subject to the constraints that we put Gummint through.
It also frees the Gummint from Freedom of Information rules since they are merely 'using and then tossing away the files'. The Gumming is NOT keeping tabs on you, the database aggregators are.
This means that you can get caught up in a cascade of errors which start of with some fool dumpster diving behind a store and end up with you facing prison for something that was done without your knowledge. Along the way, your credit history has been wrecked, your security clearances may have been revoked, you may have been fired and people may have been hurt of killed by somebody using your name.
Because they aren't liable and because our criminal agencies are still tied up into jurisdictions, unlike the data aggregators, identity thieves are taking full advantage of the wealth of the gullible.
To be fair, you are only gullible if you thing that it can't happen to you. Otherwise, you are playing roulete like the rest of us. Or you may have discovered that a generalized and unfocused paranioa is the one of the legacies of the Internet.
It CAN happen to anyone. The mechanism is an untargeted attack on information, yours and everyone elses' out there.
It may have already happened to you and, because of the legal to aggregator jurisdictional assymetries, you may well be and truly screwed.
The details are leaking because the aggregators aren't water tight about data coming out (identity theft en masse) any more that they are about data coming in (identity theft being committed one datum at a time by one thief.)
Repeat the second scenario X million times and you begin to see the scale of the data aggregator's problems. They suffer one theft of thousands of records. And a million people suffer the loss of one record, their own.
The assymetry means that potentially, you're getting screwed over by someone you're unlikely to ever meet but you'll be paying for the fine vacation he had, the new stereo he bought, all the things you would have wished that you could have afforded but now never will because of some psychopath with your ID and an easy scam to pull.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
This data would be especially great for identity thieves because since they're all Ameritade customers, they're all guaranteed to be reasonably wealthy. In most of the other high-profile data loss stories that we've seen recently, the data was presumably from a relatively wide cross-section of the population. In this case, however, a potential thief is guaranteed that most everyone he has data on will have a good credit rating and significant financial assets. The last time I looked into Ameritrade, you needed at least $5000 to open a basic account. People who can afford to blow that sort of money playing around with day-trading are probably the sorts of people whose identity you would want to steal.
...that just got a little love letter from Ameritrade.
"Dear Valued Client..."
They don't mention anything about the data on the missing tape, 1 of 4 that hasn't been recovered, being encrypted OR compressed.
They advised that I put a security alert on my credit agency accounts - what fun!
--- Shoo-be-doo-be-do-wop-say-what-yeah!
Oh wait..
There's no word yet on how they arrived at this conclusion
It's simple, two words : Wishful thinking.
"Special hardware" does not mean "encrypted." Kryptonite locks require special hardware to open, too (a ballpoint pen). My floppy disk requires special hardware to read (a floppy drive). Compression algorithms are not encryption algorithms; they are meant to allow you to read the data, not prevent it.
Proper disaster recovery means keeping offsite backups. Stuff happens with physical transit. You know that, I know that, everyone knows that. It's precisely because it is a known risk that it needs to be mitigated. The mitigation is, in this case, encryption: so that the data cannot be read by anyone, even if lost. "Every reasonable precaution" must include encryption. Of course, changing your whole backup system is a pain when you're backing up that much every day.
You're probably right that it was just lost in transit. You're definitely right that it's not a big risk to you, because to be perfectly blunt your information was probably long gone anyway. That doesn't mean that Ameritrade didn't screw up badly. "It's the shipping company's fault" is not an acceptable excuse in this case.
What I say does not represent the views of my employers, my friends, my cats, or myself.
as if I am trying to hide something.
They are covering up the fact they were never trained (or forgot) how to not put SSNs into the system. I've come out of stores with famous names and random phone numbers on my receipts, because the clerk didn't know how to bypass their telemarketing system.
-- Microsoft is the most expensive commodity operating system and office suite vendor in the marketplace.
Why then must we supply name, address, phone number, email, and other personal information just to make a purchase? (obvious answer is for customer profiling and contacting post-sale.)
No, it's because the credit card companies set things up to absolve themselves of all liability if a credit card is used fraudulently. Say your credit card gets stolen and the thief buys stuff. You call the credit card company, they cancel the card and reimburse your account. Problem solved, right?
Nope. The credit card company then refuses to pay the merchant for the fraudulent purchase. The merchant loses the item and he loses the money. (Meanwhile the credit card companies charge exorbitant interest rates to supposedly "offset the cost of fraud." In reality they're laughing all the way to the bank.)
So to cover their ass, most merchants also run the optional security checks the credit card companies offer to prevent fraud: verifying your name, address, and phone number with the billing information on file with the credit card company.
Thanks for proving me wrong Ameritrade.
If you are shipping a backup tape, you should still have a Master record set, if you need to remove the masters from the live machine, you make a Master tape as well. The idea of backup is so that if anything happens to the Master, you have a second place to look. Since this is obviously the only copy, it is the MASTER and no longer a backup, and should have been copied immediately for a backup. -- My 2 shillings.
Video Production Support
I can tell ya that their aren't many issues that will get the collective hippy minds a buz and focused but security and data loss will. We started few stoned hippies and a small operating system and that lead to security to the and a realy parandoid one and aparently even have a www.420.org and what we do alot>
If the fault was mainly of the shipper, as Ameritrade's story goes, they sure are being nice by not mentioning the name of the shipper. If I wanted to deflect blame away from myself, I'd probably be more likely to point to the specific responsible party ("It was our shipper, ___"), instead of saying, "It was our shipper."
...
DHL, UPS, FedEx must have some really good relations with Ameritrade
A financial company would never ship a backup of customers financial data without encrypting it .................. right? :\
Ameritrade "has every reason to believe" that the tape has either been destroyed or is being held by the shipper.
The have surely been destroyed by UPS.
SD
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
The up side of this is that at this rate, everyone in the US will have all their personal data made private. Maybe we'll switch to biometrics for verification of credit cards or something that can't be stolen.
The Right Reverend K. Reid Wightman,
Always blaming it on "Third Party Vendors." Really, does Ameritrade expect anyone to *really* believe that?
Windows has detected an undetectable error.
What makes you think this was the only copy?
Title: "Customer Data Lost" -- not "backup of data lost", but "data lost"
Video Production Support
However, if you bring a complaint to the Department of Health and Human Services, I'm sure you will see some action.
So, HIPAA is enforced only by the consumers, and only then after a violation. As was stated before, it is unenforced. There is no oversight. There is no monitoring. There are no proactive reviews. Considering most of HIPAA is behind the scenes work, how do you expect someone to lodge a complaint because the server is not secured to HIPAA standards? Aside from a disgruntaled employee, most of HIPAA is unenforceable.
I'll say it again, in case you missed it. HIPAA is effectively unenforced. I've secured systems according to HIPAA. I've secured networks according to HIPAA. HIPAA is a joke. Most of the people working on it don't even know what it requires, including the DHHS and such "enforcing" it. I can't count the number of times that someone has told me that HIPAA requires encryption (when it specifically states that it does not require encryption).
No, it is not well followed, and it is unenforced. It was another good idea that was screwed up by the legislators and others in the implimentation.
Learn to love Alaska
It also says: "The online discount broker admitted that a backup tape of customer account data from 2000 to 2003 has been misplaced."
The focus of the article is really that customer data was 'leaked'. Probably a better verb. I highly doubt if the only copy is 'gone'.
Ok. Calefornia has this nice law where companies have to report dataloss. What happens after that? Do they get a fine per adress lost? A slap on the wrist not to let it happen again?
Are they forced to inform their customers, because that would at least be a nice incentive not to let it happen again.
I also think most people think nothing of it, because they do not understand what crosslinking of databases is capable of. They think. So what if they send me advertisement in the snailmail? I just trow it out.
Don't fight for your country, if your country does not fight for you.
something tells me this can be traced backed to India somehow..
I can't count the number of times that someone has told me that HIPAA requires encryption (when it specifically states that it does not require encryption). ... (iv) Encryption and decryption
(Addressable). Implement a mechanism to
encrypt and decrypt electronic protected
health information. in the OCR/HIPAA Privacy/Security/Enforcement Regulation Text. That's the unofficial version. Maybe the official version retracts that. I don't have a copy of the official version.
Well, I can show you 164.312 Technical safeguards. A covered entity must, in accordance with 164.306:
If you are not allowed to question your government then the government has answered your question.
"Information on the tapes was compressed, so viewing it would require special equipment, Kush said. It was not encrypted, she added."
It's worth noting that all tape drives are considered "special equipment", and compression isn't anything unusual. About the best thing they have going for them is that there's no label on the tape, so it's not obvious what goodies are on it.
For those saying the package was "lost", they're only partly correct. Actually, there were several tapes in a shipping box, which was damaged and had tapes fall out. Three of the four tapes that had fallen out have been recovered. The last one tape was lost, and we can only hope it was lost in a way that ensured its destruction.
Offtopic and redundant. Enough already!
I can honestly say I don't give a shit.
You could actually pronounce "first post" if you took your head out of his ass!
Iron Mountain was also very quick to recommend data excryption...this press release from the same day as the Ameritrade release...
Iron Mountain Incorporated (NYSE:IRM) is advising its customers that current, commonly used disaster recovery processes do not address increased requirements for protecting personal information from inadvertent disclosure. In recent months, several companies have disclosed incidents that may have compromised personal information. While most of these cases involved malicious, online identity theft, some of the events were due to the accidental loss of computer backup tapes.