Ameritrade Customer Data Lost
Rollie Hawk writes "Continuing the recent trend of customer data blunders in the news, Ameritrade has announced the loss of the personal data of up to 200,000 customers. The suspected cause is a routing error, but not the network kind. The online discount broker admitted that a backup tape of customer account data from 2000 to 2003 has been misplaced. They claim the cause is an error on the part of a shipping company. The tape was identified as missing in February, soon after being shipped. According to spokeswoman Donna Kush, nothing suspicious has been reported. Further blaming the shipping company, she explained that "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor." It's doubtful that current and former customers with exploited information will care how this occurred. She further claimed that Ameritrade "has every reason to believe" that the tape has either been destroyed or is being held by the shipper. There's no word yet on how they arrived at this conclusion."
If date is being transported via a 3rd party carrier, wouldn't it make sense to encrypt the data first?
A comment on one of those stories considered that a lot of this data theft/loss has to do with the fact that many companies (Choicepoint) are collecting data on people who are not their customers. There is no incentive for those businesses to keep the data safe.
As far as customer data loss, it could be any number of factors. I think a lot of it has to do with lax security policy at some of these businesses. Perhaps after this round of scares, others will step up their security.
At least two companies have increased initial estimates of data loss by an order of magnitude, which means at least one incident does indeed involve between one to two million records.
It is reasonable to assume that these companies are not any less concerned about security than others. If we assume, then, that these incidents are on a national basis rather than just in California, between fifty million to a hundred million records holding sensitive personal data are at risk or have been compromised. Between a third to a sixth of the entire population of the US.
At this point, the existing system is broken enough as to be unsafe. No matter what is done to it, up to a third of the population will remain at significant risk. That, to me, is unacceptable.
The "best" method may be to place a requirement that all future systems with confidential or sensitive data be locked down and secure, with extremely limited, controlled access. And 100% liability if standards are not met. After that legislation is in place, change the format of Social Security numbers to deliberately break all existing systems, forcing an upgrade.
Yeah, that's going to be a pain to a lot of businesses. But as the problem was caused by the deliberate recklessness of said businesses in the first place, it is hard to be too sympathetic.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
"this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor."
I'm so peeved when I see comments like this. When will people realize that when they hire a 3rd party vendor to complete a task they are not absolved of responsibility. This IS an Ameritrade Systems issue. They didn't encrypt their data. They didn't hire a responsible shipper. They still "own" the issue.
I did technical account management for years. One thing our group was primarily responsible for was saying "Yes, this is our issue, we will see it to resolution". Even when the blunder was caused by a 3rd party, we owned it. It was our responsibility.
I'd bet that nearly every customer of Choicepoint is wondering if their data is safe.
It went way over your head.
Choicepoint is little more than a data aggregator. Choicepoint's customers are people who buy the information they collect on people like you. You are not a customer of Choicepoint even though your information is what they are selling. They have no incentive to keep your data safe because you aren't their customer.