Slashdot Mirror
Data Theft Notifications - How Soon is Too Soon?
bsdbigot asks: "I started getting a bunch of stock-tout spam in the last month or so. The other day, I happened to look and see it was coming in to an email address I had dedicated to my online trading account account. I've spoken to the online trading company, and I've given them the info on these spams. It turns out there is an 'ongoing investigation,' which includes 'outside agencies,' but they stop short of saying that there is any theft or breach. How soon should such a company let its customers know that their data has been compromised? Should they wait until they have all the details and have plugged the breach, or should they let customers know that there is a possible problem as soon as they recognize it?"
"Personally, I believe a security breach has occurred. So, I asked them how many people are affected by this; they feel certain that it's an isolated problem, because they haven't received a deluge of complaints. They don't know how these spammers got my reserved email address from my online broker (but they didn't sell it, they are quite clear on that), so how can they be so certain it's not their entire database, and how can they be so sure that things like my SSN and bank routing information wasn't also stolen?"
Kudos to you! I'm surprised that you have gotten as much information from them as you have. When a breach occurs, a company's first response is always to circle the wagons and cover up the mishap a soon as possible. This means keeping the bad press from anyone that doesn't already know, especially including the people in their customer service department who could let a thing like this slip.
But in answer to your question about how soon should people be notified, it's kind of a funny question. Your personal information has probably been aquired by four or more fraudsers already. So it's like asking, "How soon would you like to know that your phone number has been published in the phone book?" Or "How soon would you like to know that anyone can get your house number by walking down your street and looking at the mailboxes?" How soon would you like to know that your personal information has gotten out? It's already out there. Your social name, address, birth date, driver's license number, social security number, etcetera, have already been gotten by the criminals. If they didn't steal it, they probably just bought it from the credit bearueas.
Or Credit Card Company.
Or magazine publisher.
Or your state's Department of Transportation...
http://www.cioinsight.com/article2/0,1540,201239 8,00.asp
As soon as it becomes public knowledge that they've got a vulnerability somewhere, the number of people poking around their interface attempting to stumble upon that hole (or other ones) will skyrocket. Better to fix known problems before they essentially invite the community to look for chinks in their armor. That said, as soon as any known holes are patched, they should inform the affected users; or, if they can't determine whose information was nabbed, they should alert all of their customers.
Keep in mind that no matter how suspicious the circumstances, unless you use that email address solely for your brokerage account, there's really no way to prove a connection unless the company admits it. A friend of mine started playing online poker, used his email address to sign up for the site, and doesn't get any poker spam. A week or so later, his wife started getting a ton of poker-related spam at her email address. It's just a coincidence, though it's about impossible to convince her of that.
I've seen a huge uptick in stock spam lately, across the board (I have a number of email accounts and only one of them is tied to a brokerage). Maybe you're just on the same spam lists
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Here's my story, it meanders off-topic but I think it is worth posting as an example of another kind of data breach, one caused by corporate greed:
Like the article-poster I'm one of those guys who uses individualized addresses for each online entity they deal with, as in slashdot thinks my email is slashdot@mydomain.com, amazon thinks it is amazon@mydomain.com and etrade thinks it is etrade@mydomain.com - those examples are simplified for illustrative purposes.
A while back, before the bubble burst, I dabbled in some options trading in my etrade account. Therefore, Etrade's marketing department decided that would make my contact information something they could sell to the CBOE and I started getting bi-weekly spam from somebody on behalf of the CBOE trying to sell me all kinds of bullshit options information -- all sent to my etrade-only address.
After about a year of that crap, it finally stopped on its own. But then I started to get spam from the same mailing-list operator that the CBOE had used, but this time they were promoting other brokerages like TD Waterhouse, and most recently "TradeKing" which seems very questionable.
Whenever I get one these brokerage spams, I have to laugh. Etrade breached my privacy to make a buck or two and I'm sure they did the same thing to tens of thousands of other customers. But the end result is that their competition now has a confirmed mailing list of etrade customers, and the stupid greedy bastards GAVE it to them.
I've since opened an account with TD Waterhouse (aka Ameritrade) and make most of my trades through them, in part because of etrade's callous treatment of my privacy. I wonder how many others have done the same...
When information is power, privacy is freedom.
I think I have been getting the same spam, which really bugs me because until a few weeks ago I only got ~1 per month that missed the junk filter in my catchall account, but not I get ~5 per week to my personal email address (that I try not to give away). Do the emails go something like this:
--
Explosive pick for our members.
A massive PR campaign is starting now! MAJOR NEWS!!!
Trade Date: Monday September 18, 2006
Company: LAS VEGAS RESERVATIONS
Ticker: LVCC
Current price: $1.25
5-day Target: $4.00-$6.00
Get In Now!
--
with the text as an image?
So, according to Bill AB 424 in the Great Sovereign State of California, any company negligent in the protection of customer identity data must immediately inform the offended party upon being made aware of the breach.
:)
I understand that there have been several attempts to leverage that law on behalf of US citizens who can't afford to live in California (us poor, ol' east coast folks!) to require major corporations transacting any business in California to immediately disclose based on that law.
I'm sure there's jurisdictional issues, but there's at least some chance in hell that virtue jurisprudence will prevail.
Anyone with an actual Litt.D, SJD, or otherwise more qualified care to add fact to my hype and speculation?
"Adventure? Excitement? A Jedi craves not these things."
I bought a CD from an online store a few years back. They got hacked, and customers' credit card numbers were stolen. I got a call that same day from the store, saying that they were aware of a problem and that I should take measures to protect myself. I really appreciated that. I have gone back to them several times, because of their honesty with me, and also because of the borderline-paranoia about security that follows a successful attack/theft.
bash: rtfm: command not found
Employees and contractors coming in contact with money, financial data (of which SSN is one piece), and any other customer data should be bonded. That is not a perfect solution, but a good first step. Try working in a bank branch without being bonded -- probably not going to happen. Banks know there's a lot at risk (and the government probably requires it anyway), and they want the employees to be accountable for their actions.
24 beers in a case, 24 hours in a day. Coincidence? I think not!