Slashdot Mirror


Ameritrade Customer Data Lost

Rollie Hawk writes "Continuing the recent trend of customer data blunders in the news, Ameritrade has announced the loss of the personal data of up to 200,000 customers. The suspected cause is a routing error, but not the network kind. The online discount broker admitted that a backup tape of customer account data from 2000 to 2003 has been misplaced. They claim the cause is an error on the part of a shipping company. The tape was identified as missing in February, soon after being shipped. According to spokeswoman Donna Kush, nothing suspicious has been reported. Further blaming the shipping company, she explained that "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor." It's doubtful that current and former customers with exploited information will care how this occurred. She further claimed that Ameritrade "has every reason to believe" that the tape has either been destroyed or is being held by the shipper. There's no word yet on how they arrived at this conclusion."

12 of 324 comments (clear)

  1. Question by elid · · Score: 4, Insightful

    If date is being transported via a 3rd party carrier, wouldn't it make sense to encrypt the data first?

    1. Re:Question by TripMaster+Monkey · · Score: 3, Insightful


      Encrypting takes money and time in order to set up procedures and train and implement.

      Just how much time, money, and training does it take to specify a session/encryption password in the backup dialog?

      We encrypt all our backups. Not doing so is reckless, as backup copies are regularly sent via UPS to offsite storage facilities.

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    2. Re:Question by yamla · · Score: 3, Insightful

      If the data was encrypted, there'd be no reason for them to announce a loss.

      --

      Oceania has always been at war with Eastasia.
    3. Re:Question by NMerriam · · Score: 3, Insightful

      The data was encrypted. According to Ameritrade (my broker), special hardware is required to read the information, even if the tape was found.

      Yeah, but that could just be marketing-speak for "you need a $2,000 tape drive to read the tape". Of course you need special equipment, the question still remains as to whether or not the data was encrypted on the fly during backup, or if it is stored as such and backed up in the same state. I would NOT consider it acceptable for a financial services company to ship around huge volumes of unencrypted customer data via third parties.

      All that said, this is about the only recent customer data loss that in theory I find "acceptable", just because there are not a lot of practical ways to move backups to the opposite coast, and Fedex is a pretty typical choice. Fedex losing a package is rare, but it does happen -- not a lot Ameritrade can do about it.

      Yes, I am an Ameritrade customer, but haven't received a letter so I assume (!) that means I wasn't on that backup tape.

      --
      Recursive: Adj. See Recursive.
  2. Re:Data loss... or ... data collection? by stinerman · · Score: 5, Insightful

    A comment on one of those stories considered that a lot of this data theft/loss has to do with the fact that many companies (Choicepoint) are collecting data on people who are not their customers. There is no incentive for those businesses to keep the data safe.

    As far as customer data loss, it could be any number of factors. I think a lot of it has to do with lax security policy at some of these businesses. Perhaps after this round of scares, others will step up their security.

  3. I'm an Ameritrade customer and I DO care how... by samdu · · Score: 3, Insightful

    ...about how the data was lost. It's a little bit difficult to get angry about a lost package in the shipping process. It happens. It's always going to happen. It's rare, though. I'd be a little pissed off if this was due to a network breach at Ameritrade. As it is, I'm not too concerned. So, yeah, it DOES matter how the data was lost.

  4. Not Ameritrade's Fault? by lbmouse · · Score: 3, Insightful

    Further blaming the shipping company, she explained that "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor."

    No, it's an Ameritrade-picking-a-bad-vendor issue. It is still ultimately Ameritrade's fault.

  5. Backup Tapes should always be encrypted by workerbeedrone · · Score: 3, Insightful

    There is no excuse not to encrypt all backup tapes anymore where sensitive data is involved. There are appliance-style products out there specifically for encrypting tape backups, if you can't figure out another way.
    And I'm sure there are plenty of SW solutions also.

    This kind of crap has been happening too often.
    I hate to say we need a law, but we need a law.

  6. Re:Data loss... or ... data collection? by jd · · Score: 4, Insightful
    California did pass a law requiring the reporting of incidents. It is unclear if this has anything to do with the reports, other than these reports all came out afterwards.


    At least two companies have increased initial estimates of data loss by an order of magnitude, which means at least one incident does indeed involve between one to two million records.


    It is reasonable to assume that these companies are not any less concerned about security than others. If we assume, then, that these incidents are on a national basis rather than just in California, between fifty million to a hundred million records holding sensitive personal data are at risk or have been compromised. Between a third to a sixth of the entire population of the US.


    At this point, the existing system is broken enough as to be unsafe. No matter what is done to it, up to a third of the population will remain at significant risk. That, to me, is unacceptable.


    The "best" method may be to place a requirement that all future systems with confidential or sensitive data be locked down and secure, with extremely limited, controlled access. And 100% liability if standards are not met. After that legislation is in place, change the format of Social Security numbers to deliberately break all existing systems, forcing an upgrade.


    Yeah, that's going to be a pain to a lot of businesses. But as the problem was caused by the deliberate recklessness of said businesses in the first place, it is hard to be too sympathetic.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  7. Responsibility by derfel · · Score: 3, Insightful

    I work for a company that designs and builds devices used in the medical industry. If we use a third party for hardware or software, we have to verify and vouch for that software. If a patient gets hurt because some 3rd party app did something wrong, the 3rd party doesn't get sued, we do. It should be the same for personal data. Ameritrade should have made sure the data was secure, whether it was in their hands or not. If anyone's identity gets stolen, or they get ripped off in any other way, Ameritrade should be liable for the loss plus damages! As should all of the other companies that are losing personal data.

  8. Argh! by crimoid · · Score: 4, Insightful

    "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor."

    I'm so peeved when I see comments like this. When will people realize that when they hire a 3rd party vendor to complete a task they are not absolved of responsibility. This IS an Ameritrade Systems issue. They didn't encrypt their data. They didn't hire a responsible shipper. They still "own" the issue.

    I did technical account management for years. One thing our group was primarily responsible for was saying "Yes, this is our issue, we will see it to resolution". Even when the blunder was caused by a 3rd party, we owned it. It was our responsibility.

  9. Re:Data loss... or ... data collection? by stinerman · · Score: 4, Insightful

    I'd bet that nearly every customer of Choicepoint is wondering if their data is safe.

    It went way over your head.

    Choicepoint is little more than a data aggregator. Choicepoint's customers are people who buy the information they collect on people like you. You are not a customer of Choicepoint even though your information is what they are selling. They have no incentive to keep your data safe because you aren't their customer.