Ameritrade Customer Data Lost

← Back to Stories (view on slashdot.org)

Ameritrade Customer Data Lost

Posted by CmdrTaco on Wednesday April 20, 2005 @04:52AM from the it's-going-to-get-worse-before-it-gets-better dept.

Rollie Hawk writes "Continuing the recent trend of customer data blunders in the news, Ameritrade has announced the loss of the personal data of up to 200,000 customers. The suspected cause is a routing error, but not the network kind. The online discount broker admitted that a backup tape of customer account data from 2000 to 2003 has been misplaced. They claim the cause is an error on the part of a shipping company. The tape was identified as missing in February, soon after being shipped. According to spokeswoman Donna Kush, nothing suspicious has been reported. Further blaming the shipping company, she explained that "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor." It's doubtful that current and former customers with exploited information will care how this occurred. She further claimed that Ameritrade "has every reason to believe" that the tape has either been destroyed or is being held by the shipper. There's no word yet on how they arrived at this conclusion."

18 of 324 comments (clear)

Min score:

Reason:

Sort:

Data loss... or ... data collection? by rsborg · 2005-04-20 04:53 · Score: 4, Interesting

Maybe I'm wandering into tinfoil-hat territory here, but what's with this recent spate of customer data loss? I mean, holy hell.. there's been something like several millions of records of customer data being reported as "lost" or "stolen" lately... is someone trying to collect data on everyone surreptitiously?
I mean, it's probably more likely that some law got passed in the past few years that's forcing companies to highlight all these incidents of compromised data, but it seems pretty spooky that we just recently hear about all these stories...

--
Make sure everyone's vote counts: Verified Voting
1. Re:Data loss... or ... data collection? by stinerman · 2005-04-20 04:58 · Score: 5, Insightful
  
  A comment on one of those stories considered that a lot of this data theft/loss has to do with the fact that many companies (Choicepoint) are collecting data on people who are not their customers. There is no incentive for those businesses to keep the data safe.
  
  As far as customer data loss, it could be any number of factors. I think a lot of it has to do with lax security policy at some of these businesses. Perhaps after this round of scares, others will step up their security.
2. Re:Data loss... or ... data collection? by Daedala · 2005-04-20 05:08 · Score: 5, Informative
  
  This isn't a recent spate of customer data loss. It is, as you note, a recent spate of customer data loss reporting. It's mostly due to California Civil Code 1798, formerly known as State Bill 1386. Before we were just quietly leaking like a sieve; now we know we are.
  
  --
  What I say does not represent the views of my employers, my friends, my cats, or myself.
3. Re:Data loss... or ... data collection? by jd · 2005-04-20 05:10 · Score: 4, Insightful
  
  California did pass a law requiring the reporting of incidents. It is unclear if this has anything to do with the reports, other than these reports all came out afterwards.
  
  At least two companies have increased initial estimates of data loss by an order of magnitude, which means at least one incident does indeed involve between one to two million records.
  
  It is reasonable to assume that these companies are not any less concerned about security than others. If we assume, then, that these incidents are on a national basis rather than just in California, between fifty million to a hundred million records holding sensitive personal data are at risk or have been compromised. Between a third to a sixth of the entire population of the US.
  
  At this point, the existing system is broken enough as to be unsafe. No matter what is done to it, up to a third of the population will remain at significant risk. That, to me, is unacceptable.
  
  The "best" method may be to place a requirement that all future systems with confidential or sensitive data be locked down and secure, with extremely limited, controlled access. And 100% liability if standards are not met. After that legislation is in place, change the format of Social Security numbers to deliberately break all existing systems, forcing an upgrade.
  
  Yeah, that's going to be a pain to a lot of businesses. But as the problem was caused by the deliberate recklessness of said businesses in the first place, it is hard to be too sympathetic.
  
  --
  It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
4. Re:Data loss... or ... data collection? by stinerman · 2005-04-20 06:18 · Score: 4, Insightful
  
  I'd bet that nearly every customer of Choicepoint is wondering if their data is safe.
  
  It went way over your head.
  
  Choicepoint is little more than a data aggregator. Choicepoint's customers are people who buy the information they collect on people like you. You are not a customer of Choicepoint even though your information is what they are selling. They have no incentive to keep your data safe because you aren't their customer.
Question by elid · 2005-04-20 04:54 · Score: 4, Insightful

If date is being transported via a 3rd party carrier, wouldn't it make sense to encrypt the data first?
1. Re:Question by soconnor99 · 2005-04-20 05:27 · Score: 5, Interesting
  
  The data was encrypted. According to Ameritrade (my broker), special hardware is required to read the information, even if the tape was found.
  
  All this information was sent in a letter last week.
  
  As a customer, I feel it was nice for them to keep me in the loop, but I don't feel the least bit threatened.
  
  Pretty much every company I've ever worked for uses some sort of courier service to move backup tapes off site. If something happens with that courier, after every reasonable precaution was taken by Ameritrade (which it certainly appears it has), it's pretty much out of their control.
  
  They said what's happened, and what they think the exposure is. What else would you have them do, not send their backup tapes offsite?
2. Re:Question by Politburo · 2005-04-20 05:52 · Score: 5, Funny
  
  According to Ameritrade (my broker), special hardware is required to read the information
  
  That's correct. The tape is unreadable with human eyes.
Luckily.. by ShaniaTwain · 2005-04-20 04:54 · Score: 4, Funny

Luckily it was insured against loss and Ameritrade will be recieving a check for $100 dollars!

oh HooRay!

--
Starsucks
In Other News by ackthpt · 2005-04-20 04:55 · Score: 5, Funny

HOLLAND, MI (OOP) OSTG has revealed that member data for Slashdot.org, an online technical news site, has been compromised. "At first we thought it was only a network error, until we noticed trends in trolling and moderation making little sense," said Rob Malda, who goes by the nickname of CmdrTaco and was one of the sites founders. "Posts which were clearly uninformative, insightful or interesting were receiving high marks, while better pieces were completely ignored." Further, Malda indicated the loss may have been as high as 100,000 ids and passwords. Which in the wrong hands could tip the opinions of nerds and geeks the world over. In early hours of trading the NASDAQ plummeted 11% on the news and downtown Holland, Michigan was in flames as a mob of panicking and angry posters went on a rampage, before sating itself on chocolate covered espresso beans at the Rocky Peanut Company and pausing to "ooh and ahh" at shiny things in the local Radio Shack window or gaze longingly at the poster for the upcoming Star Wars: Episode III, Revenge of the Sith outside the local theater. Said Holland mayor, Albert H. McGeehan, "Well, isn't this a fine kettle of tulips!" At press time OSTG had not returned any calls on the matter.

--

A feeling of having made the same mistake before: Deja Foobar
As an Ameritrade customer I'd be worried... by Anonymous Coward · 2005-04-20 04:56 · Score: 4, Funny

Thankfully, all my tech stocks have tanked and there are no more assets to attack. As a matter of fact, I'm more likely to get sued by identity theives for ruining their reputations and credit ratings.
News at 11, [insert company name here] loses data by lxdbxr · 2005-04-20 04:57 · Score: 5, Funny

At this point, I feel it would be useful to have a list of major companies which have not lost hundreds of thousands of customer records.
We could then refuse to do business with those companies on the grounds that they were obviously lying.

--
-- Nothing unusual happened today
An Epidemic? by WhiteBandit · 2005-04-20 05:05 · Score: 4, Informative

So I've been creating a list of all the major cases I've heard about in 2005. Nearly 1.3 million people have been affected so far this year. Of course now Slashdot won't let me post the information because I have "too few characters per line."

I originally posted an expanded version of this list on my blog to start keeping track of everything.

Here is basically what it looks like:
Date: 04-18-2005
Name of Organization: Ameritrade
How: Lost backup tape with shipping agency
People Affected: 200,000
Link: http://money.cnn.com/2005/04/19/technology/ameritr ade/

Date: 04-14-2005
Name of Organization: Polo Raplh Lauren - Mastercards
How: "Security Breach" - Hackers
People Affected: 180,000
Link: http://www.sfgate.com/cgi-bin/article.cgi?file=/n/ a/2005/04/14/financial/f064639D31.DTL

Date: 04-08-2005
Name of Organization: San Jose Medical Group
How: Stolen Laptop
People Affected: 185,000
Link: http://www.sfgate.com/cgi-bin/article.cgi?f=/news/ archive/2005/04/08/financial/f115753D39.DTL

Date: 03-29-2005
Name of Organization: UC Berkeley
How: Stolen Laptop
People Affected: 98,000
Link: http://sfgate.com/cgi-bin/article.cgi?file=/c/a/20 05/03/29/BAG3MBVSFH1.DTL

Date: 03-26-2005
Name of Organization: Northwestern University
How: "Security Breach" - Hackers
People Affected: 21,000
Link: http://www.chicagotribune.com/technology/
chi-050 3260274mar26,1,5138021.story?coll=chi-technology-h ed&ctrack=1&cset=true

Anyway, this is definitely getting ridiculous and out of hand. And it seems we're pretty much helpless to control it as well. When are a lot of these companies going to stop requiring valuable information like social security numbers and such?
Ameritrade Customer Service by kid_wonder · 2005-04-20 05:14 · Score: 4, Interesting

Just gave them a call to close my account and I must say that they (or at least the person I talked to) was well versed on the talking points from the press release.

1) Blame third party
2) Data is not lost, we just don't know where it is
3) There has been no evidence of the data being used

The woman I spoke with was pretty adamant about making these points and really tried to keep me from closing my account.

I am not sure if this sort of revelation usually results in a significant loss of business or not, but it would appear they were well prepared to rebut peoples concerns.

--

"Oh, you hate your job? There's a support group for that, it's called everyone, they meet at the bar."
Why do so many sites collect personal information? by amichalo · 2005-04-20 05:22 · Score: 4, Informative

I work with eCommerce for a living. Credit card processing requires the CC#, Exp date, CVV2 code (the digits on the back of the card) and the billing Zipcode.

Why then must we supply name, address, phone number, email, and other personal information just to make a purchase? (obvious answer is for customer profiling and contacting post-sale.)

I try to refuse to provide a SSN whenever I recocgize it isn't needed (like to establish an account at the local dry cleaners) but so often, employees become adjitated, as if I am trying to hide something.

We as consumers need to do more to protect our own personal data from getting to 3rd parties in the first place.

Now obviously Ameritrade needs such financial and personally identifying information for SEC and IRS compliance, but in that case, they should be required by an oversight body to protect that information.

HIPPA protects the privacy rights of US citizens healthcare information and has two very important rules:
(1) information must be secured
(2) only the minimal information may be collected when required and only the minimal information may be shared with those who require it.

Why doesn't this exist for SSN, bank account numbers, etc?

--
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
Argh! by crimoid · 2005-04-20 05:25 · Score: 4, Insightful

"this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor."

I'm so peeved when I see comments like this. When will people realize that when they hire a 3rd party vendor to complete a task they are not absolved of responsibility. This IS an Ameritrade Systems issue. They didn't encrypt their data. They didn't hire a responsible shipper. They still "own" the issue.

I did technical account management for years. One thing our group was primarily responsible for was saying "Yes, this is our issue, we will see it to resolution". Even when the blunder was caused by a 3rd party, we owned it. It was our responsibility.
Re:actually.... by The+Slashdolt · 2005-04-20 05:27 · Score: 4, Funny

Dear Sir,

Recently, we were sending all of the money in your account to another branch and, well, it got lost on the way. Sorry, shit happens.

Sincerely,
Your Bank

--
mp3's are only for those with bad memories
Re:Tape? For backups yes by ihaddsl · 2005-04-20 05:48 · Score: 4, Informative

What you are quoting are the rules for archival storage of information (that is the rule that requires orginasations to store for 6 years data relating to their transactions for compliance purposes.) This does not apply to all information retained by brokers (but to specific transactional related data), and it most certainly does not apply to regular backup procedures