Ameritrade Customer Data Lost
Rollie Hawk writes "Continuing the recent trend of customer data blunders in the news, Ameritrade has announced the loss of the personal data of up to 200,000 customers. The suspected cause is a routing error, but not the network kind. The online discount broker admitted that a backup tape of customer account data from 2000 to 2003 has been misplaced. They claim the cause is an error on the part of a shipping company. The tape was identified as missing in February, soon after being shipped. According to spokeswoman Donna Kush, nothing suspicious has been reported. Further blaming the shipping company, she explained that "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor." It's doubtful that current and former customers with exploited information will care how this occurred. She further claimed that Ameritrade "has every reason to believe" that the tape has either been destroyed or is being held by the shipper. There's no word yet on how they arrived at this conclusion."
If date is being transported via a 3rd party carrier, wouldn't it make sense to encrypt the data first?
It's doubtful that current and former customers with exploited information will care how this occurred.
While I would be upset if this was my personal information, if Ameritrade did what they were supposed to do (as in ensuring the shipping company was a decent company) then I would not be so uptight about the situation. People like to scream, shout and vent. Shit happens. If someone was grossly at fault they should be flayed, if it was a pure accident (as such things happen) well it is what it is.
I mod down so you can mod up. Your welcome.
"...Further blaming the shipping company, she explained that "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor."
Ah, no.
This is squarely the problem of Ameritrade management. Protection and recovery of backup data rests squarely with IT. There should have been a detailed process done in conjunction with a reliable shipper to ensure protection ( or perhaps a private courier ) of the tape.
Yet another clueless corporation that has no sense of responsibility.
A comment on one of those stories considered that a lot of this data theft/loss has to do with the fact that many companies (Choicepoint) are collecting data on people who are not their customers. There is no incentive for those businesses to keep the data safe.
As far as customer data loss, it could be any number of factors. I think a lot of it has to do with lax security policy at some of these businesses. Perhaps after this round of scares, others will step up their security.
...about how the data was lost. It's a little bit difficult to get angry about a lost package in the shipping process. It happens. It's always going to happen. It's rare, though. I'd be a little pissed off if this was due to a network breach at Ameritrade. As it is, I'm not too concerned. So, yeah, it DOES matter how the data was lost.
Further blaming the shipping company, she explained that "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor."
No, it's an Ameritrade-picking-a-bad-vendor issue. It is still ultimately Ameritrade's fault.
This is possible. However, the Ameritrade privacy policy states that they can share personal information of clients with non-affiliated business to improve quality of service. The only thing preventing this from happening is an option that clients can request to not have their information trade with non-affiliates. I don't see any reason to pretend to 'lose' customer data, when you simply sell it legally.
This is my last post.
[6th Estate]
There is no excuse not to encrypt all backup tapes anymore where sensitive data is involved. There are appliance-style products out there specifically for encrypting tape backups, if you can't figure out another way.
And I'm sure there are plenty of SW solutions also.
This kind of crap has been happening too often.
I hate to say we need a law, but we need a law.
At least two companies have increased initial estimates of data loss by an order of magnitude, which means at least one incident does indeed involve between one to two million records.
It is reasonable to assume that these companies are not any less concerned about security than others. If we assume, then, that these incidents are on a national basis rather than just in California, between fifty million to a hundred million records holding sensitive personal data are at risk or have been compromised. Between a third to a sixth of the entire population of the US.
At this point, the existing system is broken enough as to be unsafe. No matter what is done to it, up to a third of the population will remain at significant risk. That, to me, is unacceptable.
The "best" method may be to place a requirement that all future systems with confidential or sensitive data be locked down and secure, with extremely limited, controlled access. And 100% liability if standards are not met. After that legislation is in place, change the format of Social Security numbers to deliberately break all existing systems, forcing an upgrade.
Yeah, that's going to be a pain to a lot of businesses. But as the problem was caused by the deliberate recklessness of said businesses in the first place, it is hard to be too sympathetic.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I work for a company that designs and builds devices used in the medical industry. If we use a third party for hardware or software, we have to verify and vouch for that software. If a patient gets hurt because some 3rd party app did something wrong, the 3rd party doesn't get sued, we do. It should be the same for personal data. Ameritrade should have made sure the data was secure, whether it was in their hands or not. If anyone's identity gets stolen, or they get ripped off in any other way, Ameritrade should be liable for the loss plus damages! As should all of the other companies that are losing personal data.
"this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor."
I'm so peeved when I see comments like this. When will people realize that when they hire a 3rd party vendor to complete a task they are not absolved of responsibility. This IS an Ameritrade Systems issue. They didn't encrypt their data. They didn't hire a responsible shipper. They still "own" the issue.
I did technical account management for years. One thing our group was primarily responsible for was saying "Yes, this is our issue, we will see it to resolution". Even when the blunder was caused by a 3rd party, we owned it. It was our responsibility.
Encryption is not expensive financially. Decent encryption tends to be computationally expensive, though, and may slow backups. Worse, it involves changing processes. Ever tried to make a bank change how they do things?
What I say does not represent the views of my employers, my friends, my cats, or myself.
There is no incentive for those businesses to keep the data safe.
No incentive?! There's a HUGE stack of negative PR that says you're wrong. Granted, Choicepoint may or may not have considered this before hand, but they've been raked over the coals over this issue (justifyably so). I'd bet that nearly every customer of Choicepoint is wondering if their data is safe.
Auditors find IRS employees vulnerable to hackers (3/17/05)
... claim a user identity and then use that identity to gain access to sensitive taxpayer or Bank Secrecy Act data," the report said.
More than one-third of Internal Revenue Service employees and managers who were contacted by Treasury Department inspectors posing as computer technicians provided their computer login and changed their password, a government report said Wednesday... That was a 50% improvement when compared with a similar test in 2001, when 71 [of 100] employees cooperated and changed their passwords.
IRS Flaws Expose Taxpayers to Snooping, Study Finds (4/18/05)
In all, 7,500 IRS employees, law enforcers and outside contractors can access and modify tax returns and financial-crime reports, the GAO found. A master list of passwords and user names is also widely available, the report said. "Increased risk exists that unauthorized users could
--
My Aunt sells identity theft insurance. Email me and I can put you in touch with her.
I'd bet that nearly every customer of Choicepoint is wondering if their data is safe.
It went way over your head.
Choicepoint is little more than a data aggregator. Choicepoint's customers are people who buy the information they collect on people like you. You are not a customer of Choicepoint even though your information is what they are selling. They have no incentive to keep your data safe because you aren't their customer.
This list should be a lot longer. Various banks (like Chase, Wells Fargo, Bank of America) and Credit Card companies, HR & Block (I think), the IRS, and numerous other companies have had important customer data compromised.
There probably is a web site on this...
Hard to find with all the security alerts.
This is why it is vital that the Gov needs to use a Public/Private key system with authenticity handshaking with SSN (make the SSN a public ID, that is verified by a changeable password, businesses only receive a notice from the Gov that you are authorized to use it). The current system is absolutely broken. I've gotten three calls at home with someone trying to verify my wifes SSN so that they could use it for Identiy theft (tip; if a business doesn't want to give you an address, they are crooks).
>>"ad space available -- low rates!!!"