Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ameritrade Customer Data Lost

Posted by CmdrTaco on from the it's-going-to-get-worse-before-it-gets-better dept.

Rollie Hawk writes "Continuing the recent trend of customer data blunders in the news, Ameritrade has announced the loss of the personal data of up to 200,000 customers. The suspected cause is a routing error, but not the network kind. The online discount broker admitted that a backup tape of customer account data from 2000 to 2003 has been misplaced. They claim the cause is an error on the part of a shipping company. The tape was identified as missing in February, soon after being shipped. According to spokeswoman Donna Kush, nothing suspicious has been reported. Further blaming the shipping company, she explained that "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor." It's doubtful that current and former customers with exploited information will care how this occurred. She further claimed that Ameritrade "has every reason to believe" that the tape has either been destroyed or is being held by the shipper. There's no word yet on how they arrived at this conclusion."

62 of 324 comments (clear)

  1. Data loss... or ... data collection? by rsborg · · Score: 4, Interesting
    Maybe I'm wandering into tinfoil-hat territory here, but what's with this recent spate of customer data loss? I mean, holy hell.. there's been something like several millions of records of customer data being reported as "lost" or "stolen" lately... is someone trying to collect data on everyone surreptitiously?

    I mean, it's probably more likely that some law got passed in the past few years that's forcing companies to highlight all these incidents of compromised data, but it seems pretty spooky that we just recently hear about all these stories...

    --
    Make sure everyone's vote counts: Verified Voting
    1. Re:Data loss... or ... data collection? by stinerman · · Score: 5, Insightful

      A comment on one of those stories considered that a lot of this data theft/loss has to do with the fact that many companies (Choicepoint) are collecting data on people who are not their customers. There is no incentive for those businesses to keep the data safe.

      As far as customer data loss, it could be any number of factors. I think a lot of it has to do with lax security policy at some of these businesses. Perhaps after this round of scares, others will step up their security.

    2. Re:Data loss... or ... data collection? by sellin'papes · · Score: 2, Insightful

      This is possible. However, the Ameritrade privacy policy states that they can share personal information of clients with non-affiliated business to improve quality of service. The only thing preventing this from happening is an option that clients can request to not have their information trade with non-affiliates. I don't see any reason to pretend to 'lose' customer data, when you simply sell it legally.

      --
      This is my last post.
      [6th Estate]
    3. Re:Data loss... or ... data collection? by Daedala · · Score: 5, Informative

      This isn't a recent spate of customer data loss. It is, as you note, a recent spate of customer data loss reporting. It's mostly due to California Civil Code 1798, formerly known as State Bill 1386. Before we were just quietly leaking like a sieve; now we know we are.

      --
      What I say does not represent the views of my employers, my friends, my cats, or myself.
    4. Re:Data loss... or ... data collection? by jd · · Score: 4, Insightful
      California did pass a law requiring the reporting of incidents. It is unclear if this has anything to do with the reports, other than these reports all came out afterwards.


      At least two companies have increased initial estimates of data loss by an order of magnitude, which means at least one incident does indeed involve between one to two million records.


      It is reasonable to assume that these companies are not any less concerned about security than others. If we assume, then, that these incidents are on a national basis rather than just in California, between fifty million to a hundred million records holding sensitive personal data are at risk or have been compromised. Between a third to a sixth of the entire population of the US.


      At this point, the existing system is broken enough as to be unsafe. No matter what is done to it, up to a third of the population will remain at significant risk. That, to me, is unacceptable.


      The "best" method may be to place a requirement that all future systems with confidential or sensitive data be locked down and secure, with extremely limited, controlled access. And 100% liability if standards are not met. After that legislation is in place, change the format of Social Security numbers to deliberately break all existing systems, forcing an upgrade.


      Yeah, that's going to be a pain to a lot of businesses. But as the problem was caused by the deliberate recklessness of said businesses in the first place, it is hard to be too sympathetic.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    5. Re:Data loss... or ... data collection? by tomhudson · · Score: 2, Funny

      So it's okay for me to bid $10 for the copy of it that's being sold on eBay?

    6. Re:Data loss... or ... data collection? by FatAlb3rt · · Score: 2, Insightful

      There is no incentive for those businesses to keep the data safe.

      No incentive?! There's a HUGE stack of negative PR that says you're wrong. Granted, Choicepoint may or may not have considered this before hand, but they've been raked over the coals over this issue (justifyably so). I'd bet that nearly every customer of Choicepoint is wondering if their data is safe.

    7. Re:Data loss... or ... data collection? by stinerman · · Score: 4, Insightful

      I'd bet that nearly every customer of Choicepoint is wondering if their data is safe.

      It went way over your head.

      Choicepoint is little more than a data aggregator. Choicepoint's customers are people who buy the information they collect on people like you. You are not a customer of Choicepoint even though your information is what they are selling. They have no incentive to keep your data safe because you aren't their customer.

  2. Question by elid · · Score: 4, Insightful

    If date is being transported via a 3rd party carrier, wouldn't it make sense to encrypt the data first?

    1. Re:Question by TripMaster+Monkey · · Score: 3, Insightful


      Encrypting takes money and time in order to set up procedures and train and implement.

      Just how much time, money, and training does it take to specify a session/encryption password in the backup dialog?

      We encrypt all our backups. Not doing so is reckless, as backup copies are regularly sent via UPS to offsite storage facilities.

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    2. Re:Question by AviLazar · · Score: 2, Insightful

      How do you know the data was not encrypted? I read the article, I do not recall seeing anything about encryption.

      --

      I mod down so you can mod up. Your welcome.
    3. Re:Question by soconnor99 · · Score: 5, Interesting

      The data was encrypted. According to Ameritrade (my broker), special hardware is required to read the information, even if the tape was found.

      All this information was sent in a letter last week.

      As a customer, I feel it was nice for them to keep me in the loop, but I don't feel the least bit threatened.

      Pretty much every company I've ever worked for uses some sort of courier service to move backup tapes off site. If something happens with that courier, after every reasonable precaution was taken by Ameritrade (which it certainly appears it has), it's pretty much out of their control.

      They said what's happened, and what they think the exposure is. What else would you have them do, not send their backup tapes offsite?

    4. Re:Question by qwijibo · · Score: 2, Insightful

      I agree with the philosophy of encrypting backups. However, in practice it does add another layer of complexity. It complicates recovery in the case of of partially corrupted media. Also, larger companies will have policies and compliance issues surrounding the use and storage of passwords for the backups. An encrypted backup without the password is nothing more than a false sense of security.

    5. Re:Question by fishbowl · · Score: 2


      "No. I'll tell you why. Encrypting takes money and time in order to set up procedures and train and implement."

      It also adds a risk factor to the backup integrity.
      Tape can be unreliable enough, without adding the requirement that an entire stream must be perfect from head to tail, or else it becomes extremely difficult to recover any data at all.

      --
      -fb Everything not expressly forbidden is now mandatory.
    6. Re:Question by yamla · · Score: 3, Insightful

      If the data was encrypted, there'd be no reason for them to announce a loss.

      --

      Oceania has always been at war with Eastasia.
    7. Re:Question by NMerriam · · Score: 3, Insightful

      The data was encrypted. According to Ameritrade (my broker), special hardware is required to read the information, even if the tape was found.

      Yeah, but that could just be marketing-speak for "you need a $2,000 tape drive to read the tape". Of course you need special equipment, the question still remains as to whether or not the data was encrypted on the fly during backup, or if it is stored as such and backed up in the same state. I would NOT consider it acceptable for a financial services company to ship around huge volumes of unencrypted customer data via third parties.

      All that said, this is about the only recent customer data loss that in theory I find "acceptable", just because there are not a lot of practical ways to move backups to the opposite coast, and Fedex is a pretty typical choice. Fedex losing a package is rare, but it does happen -- not a lot Ameritrade can do about it.

      Yes, I am an Ameritrade customer, but haven't received a letter so I assume (!) that means I wasn't on that backup tape.

      --
      Recursive: Adj. See Recursive.
    8. Re:Question by Politburo · · Score: 5, Funny

      According to Ameritrade (my broker), special hardware is required to read the information

      That's correct. The tape is unreadable with human eyes.

    9. Re:Question by Greyfox · · Score: 2, Interesting
      Most IT companies out there don't really understand encryption and to learn how to do it would be "too hard." That's because most of them are managed by Barbie.

      For example, the various banks, credit card companies and other institutions that might E-mail you COULD adopt a policy of signing all messages with a PGP key, the public portion of which would be available on their web page. However if you compare the billions of dollars lost each year to the 20 minutes it'd take them to learn how to use PGP, you'll see that the billions of dollars is preferable since they typically don't pay it (It's either the customer, insurance or the taxpayer.)

      On a similar note, a lot of companies don't publish SPF records becase the 5 minutes it takes to go to spf.pobox.com and enter your information in the wizard would distract the IT department from their ultra-important schedule of slashdot browsing (You know who you are.)

      And yes, the fact that these companies won't so much as lift a finger to contribute toward preventing fraud or protecting your data really pisses me off.

      --

      I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    10. Re:Question by Greyfox · · Score: 2, Funny

      They said it was "compressed" and would require "an advanced system" to access the data. I assume they mean it'd require a system with gunzip and a tape drive. Fortunately there aren't any of those out there except in corporate IT departments.

      --

      I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    11. Re:Question by TripMaster+Monkey · · Score: 2

      It takes more time, money and training than doing nothing.

      No, it doesn't.

      In terms of time, it's an extra 5 seconds when setting up the backup job. Not each time the backup job is run, but when it is set up. This amounts to a one-time cost of 25 seconds at my site.

      In terms of money, the backup software most corporations use is already capable of encryption. No extra financial outlay required.

      In terms of training, the system administrator should not require training to accomplish this, since he is expected to know how to do such things by virtue of his profession (or at least know how to learn for himself). It took me a whole 2 minutes to figure out how to enable encryption on our backups when I first started at this company).

      Any competent administrator should be making sure his company's data is protected at all points. If he fails to do this, he opens up the company to possible litigation, not to mention bad press. Ask yourself: how much has AmeriTrade lost because of this latest blunder? (Please don't say nothing...be a little more honest than that). If the admin had encrypted the backup, they would still have been lost, but the data would still be entirely secure. Wouldn't that have been worth a 30-second investment?

      So in short, there is no excuse. Period.

      --
      ____

      ~ |rip/\/\aster /\/\onkey

  3. Luckily.. by ShaniaTwain · · Score: 4, Funny

    Luckily it was insured against loss and Ameritrade will be recieving a check for $100 dollars!

    oh HooRay!

    --
    Starsucks
  4. actually.... by AviLazar · · Score: 2, Insightful

    It's doubtful that current and former customers with exploited information will care how this occurred.

    While I would be upset if this was my personal information, if Ameritrade did what they were supposed to do (as in ensuring the shipping company was a decent company) then I would not be so uptight about the situation. People like to scream, shout and vent. Shit happens. If someone was grossly at fault they should be flayed, if it was a pure accident (as such things happen) well it is what it is.

    --

    I mod down so you can mod up. Your welcome.
    1. Re:actually.... by rsborg · · Score: 2, Interesting
      People like to scream, shout and vent. Shit happens. If someone was grossly at fault they should be flayed, if it was a pure accident (as such things happen) well it is what it is.

      Great, next time I lose some important info that could compromise someone else's credit security, I'll just claim it's an "accident" and that "Shit happens".

      Seriously, people would care if they

      • knew what data had been lost (were they SSN/name combos? Trade information? Bank routing info for transfer?)
      • Whether their had been affected
      But they don't (currently) know... so of course they don't care... it's not clear what the impact is. And Ameritrade has every incentive to hide or destroy any evidence that reveals this. And, of course, the corporate media has no real incentive to reveal Ameritrade's fuckup either.
      --
      Make sure everyone's vote counts: Verified Voting
    2. Re:actually.... by The+Slashdolt · · Score: 4, Funny

      Dear Sir,

      Recently, we were sending all of the money in your account to another branch and, well, it got lost on the way. Sorry, shit happens.

      Sincerely,
      Your Bank

      --
      mp3's are only for those with bad memories
    3. Re:actually.... by rsborg · · Score: 2, Insightful
      Now to continue "if it was a pure accident (as such things happen) well it is what it is", see this shows that accidents happen and nobody is at fault. Such things could happen from glitches in the tracking system, mother nature, vandals/thieves, etc. While a company should try and minimize negative effects to their clients, bad things happen even when people take proper precautions.

      Bullshit. If BAD STUFF HAPPENS, even if it's an accident, then someone should be held liable (Think Exxon Valdez... they had to clean up the mess). Sad fact of matter is that there is no real liability for Ameritrade's in this case. If there was, you'd bet your ass that either they would have a policy in place to prevent it from happening or to carefully vet their 3rd party shippers to prevent this kind of loss.

      --
      Make sure everyone's vote counts: Verified Voting
    4. Re:actually.... by YetAnotherAnonymousC · · Score: 2, Informative

      Interstingly enough, if you deposit a check at an ATM, and they lose it (maybe a windy day) when unloading the stuff, they aren't liable. This is why I always give deposits to a real person.
      (yeah, you could get a replacement check from the payer, but that isn't always easy...)

  5. In Other News by ackthpt · · Score: 5, Funny
    HOLLAND, MI (OOP) OSTG has revealed that member data for Slashdot.org, an online technical news site, has been compromised. "At first we thought it was only a network error, until we noticed trends in trolling and moderation making little sense," said Rob Malda, who goes by the nickname of CmdrTaco and was one of the sites founders. "Posts which were clearly uninformative, insightful or interesting were receiving high marks, while better pieces were completely ignored." Further, Malda indicated the loss may have been as high as 100,000 ids and passwords. Which in the wrong hands could tip the opinions of nerds and geeks the world over. In early hours of trading the NASDAQ plummeted 11% on the news and downtown Holland, Michigan was in flames as a mob of panicking and angry posters went on a rampage, before sating itself on chocolate covered espresso beans at the Rocky Peanut Company and pausing to "ooh and ahh" at shiny things in the local Radio Shack window or gaze longingly at the poster for the upcoming Star Wars: Episode III, Revenge of the Sith outside the local theater. Said Holland mayor, Albert H. McGeehan, "Well, isn't this a fine kettle of tulips!" At press time OSTG had not returned any calls on the matter.
    --

    A feeling of having made the same mistake before: Deja Foobar
  6. Yeah it's nasty but it is this stuff news ? by Anonymous Coward · · Score: 2, Informative

    This is happening all the time now. Here's another:

    http://news.bbc.co.uk/1/hi/business/4444477.stm

  7. How much longer until personal data gets protected by Skyshadow · · Score: 2, Interesting

    Once again, let me suggest that it may be time to legislate significant penalties for companies and/or individuals who are careless with personal data.

    --
    Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
  8. As an Ameritrade customer I'd be worried... by Anonymous Coward · · Score: 4, Funny

    Thankfully, all my tech stocks have tanked and there are no more assets to attack. As a matter of fact, I'm more likely to get sued by identity theives for ruining their reputations and credit ratings.

  9. Compressed Data Secure? by Anonymous Coward · · Score: 2, Funny

    My favorite:

    "the missing back-up tape contained compressed data that would require very advanced computer systems to access."

    http://money.cnn.com/2005/04/19/technology/ameri tr ade/

    Note she did not say encrypted. Modern tape software is often intelligent enough to recognize not only its own compression algorithms, but also formats and algorithms used by other vendors. Maybe Ameritrade thinks they are one of the only companies in the world utilizing LTO, or maybe LTO-2?

  10. News at 11, [insert company name here] loses data by lxdbxr · · Score: 5, Funny
    At this point, I feel it would be useful to have a list of major companies which have not lost hundreds of thousands of customer records.

    We could then refuse to do business with those companies on the grounds that they were obviously lying.

    --
    -- Nothing unusual happened today
  11. Ameritrade needs to fire their IT Director by ip_freely_2000 · · Score: 2, Insightful

    "...Further blaming the shipping company, she explained that "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor."

    Ah, no.

    This is squarely the problem of Ameritrade management. Protection and recovery of backup data rests squarely with IT. There should have been a detailed process done in conjunction with a reliable shipper to ensure protection ( or perhaps a private courier ) of the tape.

    Yet another clueless corporation that has no sense of responsibility.

  12. American Century by Rob+the+Bold · · Score: 2, Informative

    Got a letter last week from American Century that 2 PCs had been physically stolen form the American Century office containing account information -- names addresses, balances, but no SSNs.

    --
    I am not a crackpot.
  13. I'm an Ameritrade customer and I DO care how... by samdu · · Score: 3, Insightful

    ...about how the data was lost. It's a little bit difficult to get angry about a lost package in the shipping process. It happens. It's always going to happen. It's rare, though. I'd be a little pissed off if this was due to a network breach at Ameritrade. As it is, I'm not too concerned. So, yeah, it DOES matter how the data was lost.

    1. Re:I'm an Ameritrade customer and I DO care how... by fishbowl · · Score: 2, Insightful

      "Over a bonded private courier who would baby sit the package from beginning to end, and if anything happend to the package they'd be out lots of money and looking for a whole new career?"

      You do one level of risk management for an organ transplant, and another level for routine data warehousing.

      --
      -fb Everything not expressly forbidden is now mandatory.
  14. Not Ameritrade's Fault? by lbmouse · · Score: 3, Insightful

    Further blaming the shipping company, she explained that "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor."

    No, it's an Ameritrade-picking-a-bad-vendor issue. It is still ultimately Ameritrade's fault.

    1. Re:Not Ameritrade's Fault? by Xiver · · Score: 2, Insightful

      I agree. If someone pays a $10 per hour janitor a few thousand dollars to swap out a backup tape from our server room, we are responsible in one way or another. After all we are stewards of the data.

      --
      10: PRINT "Everything old is new again."
      20: GOTO 10
  15. An Epidemic? by WhiteBandit · · Score: 4, Informative

    So I've been creating a list of all the major cases I've heard about in 2005. Nearly 1.3 million people have been affected so far this year. Of course now Slashdot won't let me post the information because I have "too few characters per line."

    I originally posted an expanded version of this list on my blog to start keeping track of everything.

    Here is basically what it looks like:
    Date: 04-18-2005
    Name of Organization: Ameritrade
    How: Lost backup tape with shipping agency
    People Affected: 200,000
    Link: http://money.cnn.com/2005/04/19/technology/ameritr ade/

    Date: 04-14-2005
    Name of Organization: Polo Raplh Lauren - Mastercards
    How: "Security Breach" - Hackers
    People Affected: 180,000
    Link: http://www.sfgate.com/cgi-bin/article.cgi?file=/n/ a/2005/04/14/financial/f064639D31.DTL

    Date: 04-08-2005
    Name of Organization: San Jose Medical Group
    How: Stolen Laptop
    People Affected: 185,000
    Link: http://www.sfgate.com/cgi-bin/article.cgi?f=/news/ archive/2005/04/08/financial/f115753D39.DTL

    Date: 03-29-2005
    Name of Organization: UC Berkeley
    How: Stolen Laptop
    People Affected: 98,000
    Link: http://sfgate.com/cgi-bin/article.cgi?file=/c/a/20 05/03/29/BAG3MBVSFH1.DTL

    Date: 03-26-2005
    Name of Organization: Northwestern University
    How: "Security Breach" - Hackers
    People Affected: 21,000
    Link: http://www.chicagotribune.com/technology/
    chi-050 3260274mar26,1,5138021.story?coll=chi-technology-h ed&ctrack=1&cset=true

    Anyway, this is definitely getting ridiculous and out of hand. And it seems we're pretty much helpless to control it as well. When are a lot of these companies going to stop requiring valuable information like social security numbers and such?

    1. Re:An Epidemic? by Vitriol+Angst · · Score: 2, Insightful

      This list should be a lot longer. Various banks (like Chase, Wells Fargo, Bank of America) and Credit Card companies, HR & Block (I think), the IRS, and numerous other companies have had important customer data compromised.

      There probably is a web site on this...
      Hard to find with all the security alerts.

      This is why it is vital that the Gov needs to use a Public/Private key system with authenticity handshaking with SSN (make the SSN a public ID, that is verified by a changeable password, businesses only receive a notice from the Gov that you are authorized to use it). The current system is absolutely broken. I've gotten three calls at home with someone trying to verify my wifes SSN so that they could use it for Identiy theft (tip; if a business doesn't want to give you an address, they are crooks).

      --
      >>"ad space available -- low rates!!!"
  16. Backup Tapes should always be encrypted by workerbeedrone · · Score: 3, Insightful

    There is no excuse not to encrypt all backup tapes anymore where sensitive data is involved. There are appliance-style products out there specifically for encrypting tape backups, if you can't figure out another way.
    And I'm sure there are plenty of SW solutions also.

    This kind of crap has been happening too often.
    I hate to say we need a law, but we need a law.

  17. Just because firms haven't said they lost data by WillAffleckUW · · Score: 2, Interesting

    doesn't mean they haven't lost it, but failed to report it in such a way that the media passed it on.

    We're dealing with a very small subset of firms that have either been forced to admit, or have voluntarily admitted, data loss of customer records and personal data collected either with or without permission.

    The number of firms that haven't admitted it, but have had it happen, is a LOT bigger.

    --
    -- Tigger warning: This post may contain tiggers! --
  18. Responsibility by derfel · · Score: 3, Insightful

    I work for a company that designs and builds devices used in the medical industry. If we use a third party for hardware or software, we have to verify and vouch for that software. If a patient gets hurt because some 3rd party app did something wrong, the 3rd party doesn't get sued, we do. It should be the same for personal data. Ameritrade should have made sure the data was secure, whether it was in their hands or not. If anyone's identity gets stolen, or they get ripped off in any other way, Ameritrade should be liable for the loss plus damages! As should all of the other companies that are losing personal data.

    1. Re:Responsibility by Reignking · · Score: 2, Interesting

      There is something specific for personal data that is used by financial institutions. It is called the Financial Modernization Act of 1999, aka Gramm-Leach-Bliley, aka GLB!

      As an example of the penalties:
      In November 2004, two companies were charged by the Federal Trade Commission (FTC) with violation of GLB for not having proper safeguards to protect customers' sensitive personal and financial information. One of those, Sunbelt Lending Services, agreed to a settlement that bars future violations of GLB and requires independent, biannual audits of its information security program for ten years.

      --
      One man's Funny is another man's Offtopic.
  19. personal data protection == big sister by torpor · · Score: 3, Interesting

    the only solution is the eradication, entirely, of the notion of 'personal data'. by that, i mean: you personally should be recording everything, not just the company. both sides should have their full records, for there to be 'fairness'.

    until there is such a common, accepted, standardized practice, there will always be a mis-balance of corporate-Entity(knowledge of individuals) versus indepent-Entity(knowledge of corporate state). the reason we hate big brother is because we have no control over him; we'd accept his conditions, if turnabout was enforced by the state, and we had just as much public oversight of government as 'it' does 'us'.

    from now on, simply record every single thing you do, anything thats a part of an agreement made with some company, yourself. save every single thing 'they' print you, put it in your system so that you data-mine them. use your digital prowess to record as much of your 'person->corporation' interaction as possible.

    do it for a year, and then see how you feel about corporate loss of data.

    its an odd thing, but in fact total-awareness is the only solution to problems of individual privacy versus corporate responsibility. its a wry old universe, doing the irony thing again..

    --
    ; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
  20. Ameritrade Customer Service by kid_wonder · · Score: 4, Interesting

    Just gave them a call to close my account and I must say that they (or at least the person I talked to) was well versed on the talking points from the press release.

    1) Blame third party
    2) Data is not lost, we just don't know where it is
    3) There has been no evidence of the data being used

    The woman I spoke with was pretty adamant about making these points and really tried to keep me from closing my account.

    I am not sure if this sort of revelation usually results in a significant loss of business or not, but it would appear they were well prepared to rebut peoples concerns.

    --

    "Oh, you hate your job? There's a support group for that, it's called everyone, they meet at the bar."
    1. Re:Ameritrade Customer Service by garcia · · Score: 3, Funny

      2) Data is not lost, we just don't know where it is

      And that's when you tell them that just because it's 4/20 does not mean they can be high at work.

  21. FOR SALE by jchawk · · Score: 2, Funny

    One tape backup tape. Appears to be functional, bought from local shipping company at auction. :-P

  22. Why do so many sites collect personal information? by amichalo · · Score: 4, Informative

    I work with eCommerce for a living. Credit card processing requires the CC#, Exp date, CVV2 code (the digits on the back of the card) and the billing Zipcode.

    Why then must we supply name, address, phone number, email, and other personal information just to make a purchase? (obvious answer is for customer profiling and contacting post-sale.)

    I try to refuse to provide a SSN whenever I recocgize it isn't needed (like to establish an account at the local dry cleaners) but so often, employees become adjitated, as if I am trying to hide something.

    We as consumers need to do more to protect our own personal data from getting to 3rd parties in the first place.

    Now obviously Ameritrade needs such financial and personally identifying information for SEC and IRS compliance, but in that case, they should be required by an oversight body to protect that information.

    HIPPA protects the privacy rights of US citizens healthcare information and has two very important rules:
    (1) information must be secured
    (2) only the minimal information may be collected when required and only the minimal information may be shared with those who require it.

    Why doesn't this exist for SSN, bank account numbers, etc?

    --
    I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
  23. Argh! by crimoid · · Score: 4, Insightful

    "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor."

    I'm so peeved when I see comments like this. When will people realize that when they hire a 3rd party vendor to complete a task they are not absolved of responsibility. This IS an Ameritrade Systems issue. They didn't encrypt their data. They didn't hire a responsible shipper. They still "own" the issue.

    I did technical account management for years. One thing our group was primarily responsible for was saying "Yes, this is our issue, we will see it to resolution". Even when the blunder was caused by a 3rd party, we owned it. It was our responsibility.

  24. Re:Encryption expensive? by Daedala · · Score: 2, Insightful

    Encryption is not expensive financially. Decent encryption tends to be computationally expensive, though, and may slow backups. Worse, it involves changing processes. Ever tried to make a bank change how they do things?

    --
    What I say does not represent the views of my employers, my friends, my cats, or myself.
  25. sheesh by tuxette · · Score: 2, Interesting

    1) Blame third party

    "I don't do business with companies that cannot and will not take responsibility for what happens to its personal data (or whatever else). In the end, you are where the buck stops. Not the shipping company that you contracted."

    2) Data is not lost, we just don't know where it is

    "If you don't know where it is, then it is..." *drumroll*

    3) There has been no evidence of the data being used

    "Not that you know of...or yet."

    --
    People say I'm crazy, I got diamonds on the soles of my shoes...
  26. Tape? They're not allowed to use tape. by Animats · · Score: 3, Informative
    Brokers aren't allowed to use magnetic tape. SEC Rule 17a-4, "Records to be preserved by certain exchange members, brokers and dealers", requires write-once media.
    • (2) If electronic storage media is used by a member, broker, or dealer, it shall comply with the following requirements:

      (i) The member, broker, or dealer must notify its examining authority designated pursuant to section 17(d) of the Act (15 U.S.C. 78q(d)) prior to employing electronic storage media. If employing any electronic storage media other than optical disk technology (including CD-ROM), the member, broker, or dealer must notify its designated examining authority at least 90 days prior to employing such storage media. In either case, the member, broker, or dealer must provide its own representation or one from the storage medium vendor or other third party with appropriate expertise that the selected storage media meets the conditions set forth in this paragraph (f)(2).

      (ii) The electronic storage media must:

      (A) Preserve the records exclusively in a non-rewriteable, non-erasable format;

      (B) Verify automatically the quality and accuracy of the storage media recording process;

      (C) Serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media; and

      (D) Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under this paragraph (f) as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member.

    Brokers are required to use a storage medium where tampering is evident. Once that was bound ledger books written in ink. Later, it was bound books of computer printouts. Then it was microfiche. Today, it's CD-ROM or DVD-ROM. But not magnetic tape. Not even for backup.

    And if a securities firm outsources some of its back office operations, the outsourcing firm has to make certain filings with the SEC:

    • (i) If the records required to be maintained and preserved pursuant to the provisions of Sec.Sec. 240.17a-3 and 240.17a-4 are prepared or maintained by an outside service bureau, depository, bank which does not operate pursuant to Sec. 240.17a-3(b)(2), or other recordkeeping service on behalf of the member, broker or dealer required to maintain and preserve such records, such outside entity shall file with the Commission a written undertaking in form acceptable to the Commission, signed by a duly authorized person, to the effect that such records are the property of the member, broker or dealer required to maintain and preserve such records and will be surrendered promptly on request of the member, broker or dealer and including the following provision ...
    Ameritrade needs to address these issues. As a broker, they are not allowed to be casual about record-keeping.
  27. Lost tapes by Viceman001 · · Score: 2, Interesting

    I lost our backup tapes once. I left them on top of my car when carrying them to the off site storage. Fortunately, or mabye unfortunately, when I went looking for them, I found that I had ran over them. User data safe, 6 dds4 tapes destroyed, huge ulcer from worrying about server crash on the day of incident.

    --
    "It's not the despair, I can take the despair, it's the hope that's killing me!"
  28. Re:OK, you try PGPing 15TB of data by DigitalCrackPipe · · Score: 3, Informative

    1. There are algorithms that are designed for realtime encryption, i.e. twofish. 2. There is special hardware that can perform encryption/decryption much more efficiently than your general-purpose CPU. Just because microsoft backup doesn't support encryption doesn't mean that any serious backup software won't do it. If your backup software/system doesn't support encryption, it was designed for home-users (despite what it claims). When the market demands encryption, software vendors will step up. Or maybe I should say "if".

  29. Re:MOD PARENT UP! by Anonymous Coward · · Score: 3, Funny

    Good point. ;)

  30. Re:Tape? For backups yes by ihaddsl · · Score: 4, Informative

    What you are quoting are the rules for archival storage of information (that is the rule that requires orginasations to store for 6 years data relating to their transactions for compliance purposes.) This does not apply to all information retained by brokers (but to specific transactional related data), and it most certainly does not apply to regular backup procedures

  31. Re:This story is Boring and Offtopic by geekoid · · Score: 2, Interesting

    never underestimate the amount of data that can be lost in the back of a truck.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  32. Re:Biggest data transport method by tompaulco · · Score: 2, Interesting

    You have it backwards. Cheap Bulk mail subsidizes first class mail. It's bulk, remember. It may be cheaper, but they send out thousands of them. Bulk rate minimum is 12 cents. It is usually more like 18 cents and can go up to almost 30 cents.
    In your situation, the mailman must come to your box, which takes time. In most cases, he must merely stop at the street. In many communities, regulations will not allow a house mounted mailbox on new construction. It must be on the street. The Postal service does not charge based on the "worst case" of having to go to the box, but on the average case which is a mix of the two. Apartments are even better because they can get hundreds of peoples mail sorted out in maybe five minutes thanks to centralized mail facilities.
    The Post office must take into consideration good situations like an apartment building, with bad situations, such as rural routes with one house every mile. Unlike many other delivery companies, they offer the same rate for any mail delivery anywhere in the United States. Great if you like to send mail from New York to California, not so great if you are inviting people to a block party.
    The USPS makes money. The billions of peices of bulk mail they send every year helps us to enjoy reasonable first class stamp prices.

    --
    If you are not allowed to question your government then the government has answered your question.
  33. Re:deliberate reckless? bs by cprincipe · · Score: 2, Interesting

    I would rather think it is another example of corporations failing to effectively police themselves and the government having to step in. Free Enterprise would work like a dream if companies took responsibility for their actions - then governments wouldn't have any place to step in.

    --

    bun-fhuinneog agam!

  34. Ameritrade? What about the IRS? by Panaphonix · · Score: 2, Insightful

    Auditors find IRS employees vulnerable to hackers (3/17/05)

    More than one-third of Internal Revenue Service employees and managers who were contacted by Treasury Department inspectors posing as computer technicians provided their computer login and changed their password, a government report said Wednesday... That was a 50% improvement when compared with a similar test in 2001, when 71 [of 100] employees cooperated and changed their passwords.

    IRS Flaws Expose Taxpayers to Snooping, Study Finds (4/18/05)

    In all, 7,500 IRS employees, law enforcers and outside contractors can access and modify tax returns and financial-crime reports, the GAO found. A master list of passwords and user names is also widely available, the report said. "Increased risk exists that unauthorized users could ... claim a user identity and then use that identity to gain access to sensitive taxpayer or Bank Secrecy Act data," the report said.

    --
    My Aunt sells identity theft insurance. Email me and I can put you in touch with her.

  35. Easy to restore by Dun+Malg · · Score: 2, Funny
    Even if they don't have backups it should be easy to get most of the info. Just send an email to their customers:

    Dear valued Ameritrade customer:
    Due to computers errors, we may have lost some of your informations. Please go to the following web site and verify your informations. Please do so as soon as possible or your account may be suspended. Thank you.

    http:/256.123.321.201/Ameritrade.html

    --
    If a job's not worth doing, it's not worth doing right.