Slashdot Mirror
Data Theft Notifications - How Soon is Too Soon?
bsdbigot asks: "I started getting a bunch of stock-tout spam in the last month or so. The other day, I happened to look and see it was coming in to an email address I had dedicated to my online trading account account. I've spoken to the online trading company, and I've given them the info on these spams. It turns out there is an 'ongoing investigation,' which includes 'outside agencies,' but they stop short of saying that there is any theft or breach. How soon should such a company let its customers know that their data has been compromised? Should they wait until they have all the details and have plugged the breach, or should they let customers know that there is a possible problem as soon as they recognize it?"
"Personally, I believe a security breach has occurred. So, I asked them how many people are affected by this; they feel certain that it's an isolated problem, because they haven't received a deluge of complaints. They don't know how these spammers got my reserved email address from my online broker (but they didn't sell it, they are quite clear on that), so how can they be so certain it's not their entire database, and how can they be so sure that things like my SSN and bank routing information wasn't also stolen?"
They should do more to keep it from happening in the first place. Seriously, there's a new breach at some major corporation or government office every other week or so. It's ridiculous.
ZuluPad, the wiki notepad on crack
Lock it down. Cancel the email account and have any attached credit cards cancelled/changed. Change your checking account number. Keep thorough records and dig to find recent bank statements, etc. This can be a huge hassle.
File complaints with the federal and your state Attorney Generals against the trading company immediately. Consider a 6-month paid monitoring service from a major credit reporting bureau. Both the feds and your state will have advisory hotlines. IANAL and slashdot is not the place you want to go for this kind of information. Basically, don't fsck around if you think anything has been compromised.
I've been there, and these steps cost me a few dollars but saved me tens of thousands. Overseas types are pretty damned creative with your numbers. paranoid != not out to get you.
FairTax baby!
Kudos to you! I'm surprised that you have gotten as much information from them as you have. When a breach occurs, a company's first response is always to circle the wagons and cover up the mishap a soon as possible. This means keeping the bad press from anyone that doesn't already know, especially including the people in their customer service department who could let a thing like this slip.
But in answer to your question about how soon should people be notified, it's kind of a funny question. Your personal information has probably been aquired by four or more fraudsers already. So it's like asking, "How soon would you like to know that your phone number has been published in the phone book?" Or "How soon would you like to know that anyone can get your house number by walking down your street and looking at the mailboxes?" How soon would you like to know that your personal information has gotten out? It's already out there. Your social name, address, birth date, driver's license number, social security number, etcetera, have already been gotten by the criminals. If they didn't steal it, they probably just bought it from the credit bearueas.
Or Credit Card Company.
Or magazine publisher.
Or your state's Department of Transportation...
http://www.cioinsight.com/article2/0,1540,201239 8,00.asp
You just realized that you made a programming mistake that could cost your company millions. How soon would you tell them? How long would you scramble in the hopes that you could possibly fix it and cover your error?
Hours?
Days? (no one's said anything yet).
Weeks? (I think I fixed it!).
Months? (Oh shit!)
As soon as it becomes public knowledge that they've got a vulnerability somewhere, the number of people poking around their interface attempting to stumble upon that hole (or other ones) will skyrocket. Better to fix known problems before they essentially invite the community to look for chinks in their armor. That said, as soon as any known holes are patched, they should inform the affected users; or, if they can't determine whose information was nabbed, they should alert all of their customers.
Keep in mind that no matter how suspicious the circumstances, unless you use that email address solely for your brokerage account, there's really no way to prove a connection unless the company admits it. A friend of mine started playing online poker, used his email address to sign up for the site, and doesn't get any poker spam. A week or so later, his wife started getting a ton of poker-related spam at her email address. It's just a coincidence, though it's about impossible to convince her of that.
I've seen a huge uptick in stock spam lately, across the board (I have a number of email accounts and only one of them is tied to a brokerage). Maybe you're just on the same spam lists
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
I missed the part about "dedicated to my online trading account account." It sounds like there's definitely been a breach, but my opinion of when customers should be notified remains the same.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
I've been receiving spam to an email account I used only with Ameritrade.
Here's my story, it meanders off-topic but I think it is worth posting as an example of another kind of data breach, one caused by corporate greed:
Like the article-poster I'm one of those guys who uses individualized addresses for each online entity they deal with, as in slashdot thinks my email is slashdot@mydomain.com, amazon thinks it is amazon@mydomain.com and etrade thinks it is etrade@mydomain.com - those examples are simplified for illustrative purposes.
A while back, before the bubble burst, I dabbled in some options trading in my etrade account. Therefore, Etrade's marketing department decided that would make my contact information something they could sell to the CBOE and I started getting bi-weekly spam from somebody on behalf of the CBOE trying to sell me all kinds of bullshit options information -- all sent to my etrade-only address.
After about a year of that crap, it finally stopped on its own. But then I started to get spam from the same mailing-list operator that the CBOE had used, but this time they were promoting other brokerages like TD Waterhouse, and most recently "TradeKing" which seems very questionable.
Whenever I get one these brokerage spams, I have to laugh. Etrade breached my privacy to make a buck or two and I'm sure they did the same thing to tens of thousands of other customers. But the end result is that their competition now has a confirmed mailing list of etrade customers, and the stupid greedy bastards GAVE it to them.
I've since opened an account with TD Waterhouse (aka Ameritrade) and make most of my trades through them, in part because of etrade's callous treatment of my privacy. I wonder how many others have done the same...
When information is power, privacy is freedom.
I think I have been getting the same spam, which really bugs me because until a few weeks ago I only got ~1 per month that missed the junk filter in my catchall account, but not I get ~5 per week to my personal email address (that I try not to give away). Do the emails go something like this:
--
Explosive pick for our members.
A massive PR campaign is starting now! MAJOR NEWS!!!
Trade Date: Monday September 18, 2006
Company: LAS VEGAS RESERVATIONS
Ticker: LVCC
Current price: $1.25
5-day Target: $4.00-$6.00
Get In Now!
--
with the text as an image?
Comment removed based on user account deletion
I create addresses specifically to receive mail from retailers I order from. For example: companynameorderjunk@mydomain.com.
I NEVER type these addresses anywhere, and they are not something a wide net spam sender would guess...
Over the last few years i have had about 4 situations where those very account specific addresses began receiving a LOT of spam.
The sites included Dell, and PCMall. The PCMall ones very primarily sexual in nature...
I have thought of every possible way they could have gotten that address, and a security breach seems like the only feasible way. I have never typed those addresses anywhere else (no forums, no re-use on other sites, etc...), have never had a virus or spyware on my machine (OSX, thank you very much), so there is really one source for those addresses, the companies internal database.
anyone else experience this before?
Cloud City Digital: DVD Production at its cheapest/finest
As an operator of a mailserver I know I do frequently get dictionary attacks (searching through names for mailing addresses) and sometimes these turn up addresses which aren't used (like my "stats" account or mail sent to "apache" or "mailman"). Usually these addresses later received subsequent spam - and often it is the most shady kind of spam such as the stock scam emails. So it is possible that the address may have been discovered through this means.
isomerica.net | Foonetic IRC
"I started getting a bunch of stock-tout spam in the last month or so. The other day, I happened to look and see it was coming in to an email address I had dedicated to my online trading account account. I've spoken to the online trading company, and I've given them the info on these spams. It turns out there is an 'ongoing investigation,'
Is the trading company called Ameritrade by any chance? They got a leak problem, maybe an insider job. Look at this thread on spamgourmet (an anti-spam site that I help with): http://bbs.spamgourmet.com/viewtopic.php?t=81&star t=60
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
Except that, if that were the case, he'd be seeing a lot more spam to his other addresses too.
...
Case in point: I gave a cycling advocacy group an email address. Two letters @ my domain. Some time later, I got spam to that address. It wasn't a dictionary attack: I didn't receive any spam to any other two letter addresses (my domain accepts *all* email to it, save for specific, known compromised addresses). It wasn't a compromise of my email traffic, because there was very little genuine traffic to that address; I would have expected other addresses to be compromised before that one if somebody were sniffing traffic. Etc. Etc.
There's also the fact that it's spams that are targetted towards the type of email address he has: stock pump and dump schemes sent to his trading account address.
If it walks like a duck, and quacks like a duck
Like all "ethical" behavior you have to consider the effects on those involved.
If they suspect the breach is still under way they need to keep it quiet to try to catch the intruder, which has a variety of benefits to the customer.
If there's any reasonable chance that silence could result in recovery of data before it's re-transmitted then it would be justified.
If silence gives them a few extra days to assess & secure their network then it might be justified.
It's never justified to keep it quiet for the company's benefit, only for the customers' benefit. Of course, without inside knowledge you can never conclusively know. That's why we have governments to enforce laws and regulate business (at least in theory).
Ongoing Investigation? Was the company hacked? Was a CIA Agent's name leaked?
Victims should be told right away that it is suspected that there was a breach, and outlined how an investigation will be performed. But it should be careful (mostly for legal reasons) that it be reserved and only enough information be given.
That which does not kill me only postpones the inevitable.
Ameritrade/TD-W also let its email addresses out, too. My specifically-for-Ameritrade email address got vanilla (same type as my other accounts; not investing at all) spam. So I changed it. Again.
DT
Is this thing on? Hello?
In the banking industry, the applicable regulation is fairly strict... the institution must "promptly" notify customers of a material breach and there are relatively few loopholes. So if your broker or whoever was part of a bank, then this would apply. However, if your e-mail address was all that was compromised, they don't really need to notify you. By definition, e-mail addresses are not private information, any more than your physical address is. A number of states, notably California, have privacy laws that can be invoked, but the trigger for a material breach is usually the compromise of a combination of personal identifying data such as name and address (including e-mail addresses) and sensitive nonpublic personal information such as login credentials, account numbers, etc. You might see whether there is a law in your state that applies.
#!
assuming that you live in or are doing business in the USA
#!
So, there I am, riffling through the mail. I see a letter from the VA. I read it. It says "Dear Vet, Apart from hating you, we also might have lost enough information to allow Russian gangsters simple access to all your financial holdings."
Then I get a letter that says "Never mind."
I really do believe that the Feds have begun to channel Rosanne Rosanna-Danna.
Oh. PS from the Feds: "We still really hate you. Please die soon. Quietly."
668: Neighbour of the Beast
Before it happens?
Lately I've gotten lots of stock spam through a sneakemail address assigned to VMWare. The interesting thing is that I used two separate sneakemail addresses, one for the demo download and one for the purchase of VMWare Workstation. All the spam goes to the demo address so it's tempting to think that they sold it. There's probably a less sinister explanation but the point is that blatant stuff like this does happen with reputable companies.
Sneakemail users will recognize the format in the From line:
Received: from abhll.ozlhz ([70.144.236.219])
by adsl-144-233-36.aby.bellsouth.net (8.13.3/8.13.3) with SMTP id k8KHYm5t078080;
Wed, 20 Sep 2006 13:34:48 -0400
From: "Lesley Horne xnray-at-ddzine.com |VMWare|"
To: sneakemail@xxx.com
Subject: conjunction
Date: Wed, 20 Sep 2006 13:24:51 -0400
Right! Someone has been capturing traffic to his ISP, and instead of grabbing his credit card info and his passwords, they are just content to snatch his e-mail address. If he was hacked, the hackers would have done lot worse than stealing his email addy you dumbass!
This was the most retarded comment I have read. You must be an American. Sheesh.
Spam is often sent to made up addresses. So, if your email address was "joetrader@foo.com", it is entirely possible that a spammer synthesized the address. You need to use addresses that are not easily guessable, for example, joetrader@foo.com. If you already had a hard-to-guess address, then you have a point.
Join the window installer's union, where prosperity is a brick throw away!
If a tape is missing, how do they know if it's been stolen? If a system is infected with a general purpose trojan, how do they know the extent to which the data was compromised, or if anything was downloaded at all? There would be a lot of false alarms if companies had to alert customers every time there was a possibility of data theft.
But if you believe that sensitive data was probably stolen, then you should have to alert the people you believe were probably affected immediately. The only problem with this is that it's near impossible to write and enforce laws based on non-absolutes such as beliefs and probability, and it's in a company's best interest to keep such problems secret, pushing the envelope of minimal regulatory compliance to its extreme.
Sometimes, a company can only make a security threat worse by declaring the problem exists.
Let's take a stolen laptop, for example. If Company A's suffers a laptop theft, and the laptop (for whatever stupid reason) has the personal data of thousands of customers or employees on it, how should that company respond? This is obviously an example of poor security to begin with (no one should have that kind of information on a laptop taken off the premises), but how do you keep a bad situation from getting worse?
I see no clear best answer. Do you announce it to the world and all of your customers? While this would be a perfectly acceptable and reasonable knee-jerk response, I'm not convinced it's the best one. What happens if the punks who took the laptop are only interested in pawning it, ditching it at the first possible moment, likely to someone who doesn't really care about the data on there (obviously, however, they might)? If you notify the world of the theft and what was lost, you've just greatly increased the likelihood that information could be used against you and let the crooks know they have something of much more value - you could (and that is the key word here) make a problem worse while acting with the best intentions.
On the other hand, hiding this problem from your customers is certainly not ethical. It's their data, their money after all. But by assuming the worst could happen and informing people, do you ensure the worst will happen?
I'm not sure there's always a best way to handle these things - sometimes it could be informing everyone, at other times it could just mean scrutinizing accounts more closely while keeping everything quiet. It's a hard thing to balance.
I'm no security professional, but I'd like to ask those who are - is my reasoning correct, or am I totally off? If I'm off, please feel free to critique/correct at will, as I would love to hear more.
So, according to Bill AB 424 in the Great Sovereign State of California, any company negligent in the protection of customer identity data must immediately inform the offended party upon being made aware of the breach.
:)
I understand that there have been several attempts to leverage that law on behalf of US citizens who can't afford to live in California (us poor, ol' east coast folks!) to require major corporations transacting any business in California to immediately disclose based on that law.
I'm sure there's jurisdictional issues, but there's at least some chance in hell that virtue jurisprudence will prevail.
Anyone with an actual Litt.D, SJD, or otherwise more qualified care to add fact to my hype and speculation?
"Adventure? Excitement? A Jedi craves not these things."
Get out of that broker now. Move all your assets to another broker. You don't want to have assets with a broker in trouble.
I've been through a broker bankruptcy, and it's a huge hassle. Yes, you eventually get the assets back, but you may be trapped in a position and unable to trade out of it.
How soon should such a company let its customers know that their data has been compromised?
that depends, how long does it take to finance a new ferrari and a yacht to ship it out of the country?
Push Button, Receive Bacon
Credit card info and passwords will be encrypted, if a user is taking any precautions at all.
However, most connections between MTAs (Message Transfer Agents like Sendmail, Postfix, etc.) are not encrypted. My Postfix server offers TLS to anyone that connects, but very few MTAs actually use it.
It would be difficult to capture credit card numbers, but trivial to capture email addresses from RFC-822 headers.
I really wonder who the dumbass is.
They should tell you right away so you can make any necessary changes to protect yourself, especially if the info compromised is a credit card or bank account number.
I bought a CD from an online store a few years back. They got hacked, and customers' credit card numbers were stolen. I got a call that same day from the store, saying that they were aware of a problem and that I should take measures to protect myself. I really appreciated that. I have gone back to them several times, because of their honesty with me, and also because of the borderline-paranoia about security that follows a successful attack/theft.
bash: rtfm: command not found
I too have noticed an update in 'stock' related SPAM.
When, I left my previous ISP host, netmegs.com, I immediately begin receiving spam on the address I used to correspond with them on.
I just figured it was sour grapes for them and eventually began filtering that address.
Recently, I begin receiving SPAM on 2 addresses that I use exclusively for my online trading account. At first, this made me thing there was a breach at by broker. Then I noticed that many other email addresses that I used to use for specific vendors began spamming me, even addresses that I have not used since switching hosting services. This makes me believe that my brokerage is not at fault but it's my old hosting company that has either compromised old email data or outright sold it to spammers.
I contacted my brokerage about 4 weeks ago when I first noticed the problem. They responded quickly but the more I investigate the problem the more I think it's my old hosting service. They are named in this message so buyer beware.
Are we talking here about Ameritrade? We used a dedicated email address when we registered with them a few years back and we started getting spam on that address maybe 2 or 3 months ago. I changed our email correspondence addresss just two weeks ago, and I'm hoping that the California law that requires companies to reveal identity theft security breaches will kick in and force Ameritrade to fess up if something bad had gone down.
I had a Datek account, which was acquired by Ameritrade. Before closing the account (if I had wanted to be an Ameritrade customer, I would've joined them to begin with), I changed the associated email address to ameritrade@mydomain. I have since received spam at that address. So Ameritrade either sold out its customers, or had a privacy breach.
Additionally, VirtualBank has either been hacked or has sold my email address, and who knows what other privileged information. I've been getting hundreds of spams to my virtualbank address all year. They refuse to even respond to my inquiries.
Ameritrade leaks your email too. I own several domains and I use one as a check to see if anyone is selling my email address. When I register an account I give them a email that looks like:
somedomain.com.(64-bit number in hex)@mydomain.com
I generate the 64-bit number for each address, only address that have the correct 64-bit number get though. This way I know for sure (nearly) if someone has sold my email address.
I only receive stock spam though the address associated with ameritrade.com. When I called ameritrade to complain they insisted they don't sell email address and the problem was not their fault, despite multiple attempts to explain to them why this is highly improbable. They claimed my computer or mail server must of been hacked. But they offered me 25 free trades as a show of good faith, I declined and moved my account to Charles Schwab and so far they haven't sold my email address.
This happened to me too, and in the same timeframe you describe. I changed my e-mail address used with the company, and the spam stopped. So I knew that someone had compromised their database of e-mail addresses briefly.
The company is TD Ameritrade.
Carnage Blender
Of course you can refuse to click, but that would make you a gay!
Whether or not this results in the answer to your question (how long notification should be given), at least this is a step in the right direction for some centralized thinking instead of everyone doing it on their own.
The trading company might also have given out the address voluntarily (and now doesn't want to admit to that) or it could be a lucky guess of the spammer (maybe a dictionary attack of sorts). I know they used to try use commonly-used nicks on my domain for a while. (Then I turned the catch-all off...)
I had my identity stolen in 2000 or so and am still trying to fix it, even though I've notified all the relevant authorities numerous times... It wasn't until that I think the person took a mortgage out in my name that they cleared the fraudulent charges... and they still wont clear the drivers licences or addresses the guy took out in my name without showing up at police station on the other side of the country!
Hiring a lawyer to fix this may have been quicker, but would have costed thousands, so I'd say, change any accounts immediately that may have been compromised.
...After the incident with Kivas Fajo, all of Federation's androids have been outfitted with a subspace alarm that goes off when the androids' signal is lost.
How soon is too soon? At all. For them, at least. There is no real reason for them to admit anything. They don't really lose a whole lot by not admitting things. A couple savvy users isn't really worth the cost of the bad PR. Yeah, ideally they'd let everyone know as soon as the possibility of a leak was made known to them, but this world doesn't run on ideals.
True security only comes when it's in the best interests of the person for whom the security is a cost, particularly at a corporate level. I'm sure they spare no expense on the armored car that takes their booty to the bank*.
*Yeah, I know that they probably do all their transactions financially. I suck at coming up with real-world examples.
I had an account with Datek, which was bought by Ameritrade, which... was it recently bought by someone else?
There's a long-running thread on the bbs for spamgourmet discussing a bunch of events like this -- spamgourmet users generally use a unique email address for each of their accounts, and so can quickly identify a problem (unless it was with spamgourmet itself, of course, but records so far show that hasn't happened). The response of the companies varies from complete denial and reticence to surprising accountability. None of it ever ended up in court, afaik.
who's moderating the meta-moderators?
Or it might just have been a guess. I have email addresses which I have NEVER given to ANYONE and they still attract spam. These guys just randomly combine names with domains in the hope of hitting a live account.
> How soon should such a company let its customers know that their data has
> been compromised?
They will do so shortly after you go public with their name. Don't you think you should tell us who they are so we will know who not to do business with?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
This has happened to my accounts, *twice*. TDAmeritrade and Interactive Brokers have both compromised my one off email addresses for their systems to stock touts - not once, but TWICE. I changed the two one off email's in their systems after noticing the stock tout scum spam scams, only to have the two newly generated emails compromised yet again within weeks. I ask, what other information have they sold/stolen??? These clowns are protecting my life's savings in brokerage accounts, but can't even keep my email account locked down?! Try complain - I did... what a farce. Wasted my breath and insult to my intelligence the complaint process was...
If Aliens from another Galaxy contact Bush, should the gub'ment freak out the citizens by have a press conference about the contact? I say no! We have wars to win and a couple more to start = freaking out the citizens is NOT in the game plan. Carry on!
It might've been dumb freaking luck.
:P)
My primary e-mail account is presently suffering a deluge of stock scam spam. Sure, my main account, that's been around for ages.
The fun part is, accounts I have created but have never used (even on different domain names) are also suffering the deluge.
Unless your e-mail address is 9fjxj28_dcj29j2@whatever.com, there's always the chance that they've simply stumbled across your address by accident. No bounce = send more mail. Send lots more mail.
(Hell, often times bounce = send more mail, send lots more mail.
that after W. took office, he had the FBI stop notifying the victims. Prior to that, the victims were notified right away.
Have to admit I'm clueless about "allowable" characters in an email address, but suppose a user happened to use the plus sign (+) in their username, but not in the context of the discussion. It would mean the spammer would possibly miss a target (by stripping everything after the +), which they'd avoid if possible, presumably. I guess most likely they'd spam every possible iteration since it costs them nothing to cover all bases.
Is it possible you're the victim of a dictionary attack? These days spammers are sending junk to $RANDOMNAME@knowndomainname.com. I've seen this on both big national ISP domain names and dinky domain names that I own. If your user name a common name and letter, it might be getting hit at random without any need for compromising your account.
Two wrongs don't make a right, but three lefts do.
On the part of companies to inform their customers when there is a security breach and that might compromise their information. That is something that, despite efforts by many security professionals, most companies still fall quite short in.
Unfortunately, we as the customers are often the ones that suffer from company's attempts to always escape from this sort of thing unscathed.
Justin - Don't be afraid of my blog, it won't bite.
You should notify as soon as you have reason to think that a customer can do anything to mitigate problems. If the customer can't do anything, or there is no problem to mitigate, delay is more a matter of PR. But if you delay when a customer who knew about a breach could have prevented further problems, well, you're culpable.
The company you are dealing with (the broker), probably outsources its email list to some other company. That other company may be shady/aggressive, or it may be offshore, or some of its employees may pilfer the email addresses and sell them to spammers.
That could be all there is.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
Another concern raised is that many companies don't even realize they've been hacked. "Data breach notification laws assume companies are able to detect the loss of personal data in the first place and then determine if lost data contained personally identifiable information.|LLB|"
The post cites to a recent Ponemon Institute study that found most companies don't have sufficient data security detection measures in place to even detect data thefts.
I'm 100% certain the same thing happened to me, too, as I also have a dedicated email account for that purpose which I have *never* given to anyone else. Heck, I've never even sent an email from that account.
I've, too, contacted the firm--twice in fact--and have gotten the same story, and I'm beginnning to get pissed off about it. Same run around. And this has been going on for at least six months.
A friend of mine who's a former trader recommended I go to the compliance office; if some announcement isn't made in the next couple of weeks, I'm going to have to resort to that because, like you, I know in my core there was either
* an theft by an insider
* a security breach
If not, they're violating their contract and have sold our information to third parties. Seems like for any of the above, they're in trouble.
At my local university, they routinely leak my e-mail address by sending out e-mail messages with my address in them. (This could either be for internal correspondence or for a bulk sending to a bunch of people.) Invariably, someone's PC eventually gets a virus, and presto my e-mail address goes out to a hundred million different recipients. I actually think that viruses, spyware, and botnets generate a significant fraction of e-mail spam addresses.
In case the above didn't work, my local university is also good at the following activities:
a) Posting e-mail addresses on websites. I can't randomize my e-mail address fast enough when dealing with my university.
b) Getting their own out-going e-mail messages blocked as spam (sometimes by their own spam filters.) Then wondering why I didn't get the e-mail message.
c) Forwarding the class list to some terrorist sympathizing individual, who helpfully forwards the list to his buddies. I then get Anti-American hate propaganda.
d) Complaining about the amount of spam e-mail they receive.
Don't assume that companies actually understand why people complain about released e-mail addresses. Some of the individuals can be the smartest intellectuals around, and not understand how their own actions cause problems.
This probably has nothing to do with your account. I started getting stock touting emails, and was suspicious that someone had sold my email address. However, now I get at least 1 a day on 5 different email accounts, including at work.
I've heard these emails being cited as evidence that this or that brokerage, investor service, or whatever has been compromised. However, email addresses I never used to sign up for anything, internal email aliases at work, etc., are all being hit. The most reasonable explanation is a spate of dictionary attacks.
Let's all stop being hysterical about this for a minute, stop and think.
If some nefarious evildoer got ahold of EVERYTHING, not just your e-mail address, you would be getting a lot more than spammed stock touts. I really doubt the OP's SSN/Checking Account has been compromised.
Think about it, if you are some bad guy with the complete customer records of XXX,000 brokerage customers, what are YOU going to do with it? Send out a measly XXX,000 e-mails touting some worthless stock, or just steal the money out of the checking accounts outright?
To me, this sounds like some greedy marketing dept. out to make a quick buck, not complete ID Theft.
SirWired
I'll try to guess what sporkme meant: In context, two countries are considered "overseas" if they have not agreed to help each other investigate fraud that occurs in the course of international commerce. The metaphor "overseas" applies because in the developed world, investigative cooperation correlates with sharing a border.
I'm pretty sure that Canada and US police work together. I'm not sure how far NAFTA and associated agreements go however.
Same thing happened to me or so I thought. I accused the library system of having a security breach when I started getting 5-6 spams a day with an unusual email address I had used for their system. Then a few more days went by and I started getting more spams from other dedicated email addresses I have. Guess what, malware or spyware was on my system and had grabbed the addresses out of my email client address book.
The fact that I get spam mentioning penis enlargement does not mean that Shoprite must have lost my value club card data to Sum Yung Gai who now knows I buy "modest" size Trojans. I hope the correlation is clear.
Similarly, an "ongoing investigation" with "outside agencies" can mean they've got a private security firm analyzing their systems; which is normal, and nothing to be worried about if they even said as much. Companies are always vague about things like this, but they're not necessarily the evil empire.
Don't get me wrong; spam can come from some pretty shady activity. What you are, and everyone else is saying is not impossible, but your example shows a lack of understanding, and does not prove or even suggest any correlation to this trading company aside from both parties having something to do with stocks.
Hell I get stock spam. Everyone does. You don't need to sign up for stuff these days to get spam. That much has been said already. If you don't want spam, talk to your email provider. They're probably already blocking a few hundred spam messages a day. And who knows where those come from? *creepy music*
Getting back to the question of whether a company should go public about a security breach, I think it would depend on the circumstances. If publicity would hinder an undercover investigation or sting operation, a delay could be justifiable.
For what it's worth, on another occasion last year, Ameritrade did lose a data backup tape containing customer account information during shipment back in February 2005, and went public about it two months later (http://www.networkworld.com/news/2005/0420ameriwa rns.html) after notifying customers who may have been affected.
And here's an extensive blog entry about the Ameritrade incidents-- with many corroborating comments pointing to the late July early August 2006 timeframe: http://www.billkatz.com/node/77.
How soon is too soon? i think that is not the question..i think the question is who well people know about spam. clearly people do not complain about the spam because they might think that spam is harmless. that is until they know that they have been deceived.
It requires a business or government entity to notify an individual in writing or email when it is believed that personal information - such as a Social Security number, driver's license, or credit card number - has been compromised. Only two exceptions to notification exist. First, upon the written request of law enforcement for purposes of a criminal investigation; and second, for national security purposes. You can't tell the true impact of identity theft by looking at the numbers. You see it in the stories of the victims.
Later on whenever the unauthorize party want to breach the information they could say "hello there".