Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data Theft Notifications - How Soon is Too Soon?

Posted by ryuzaki0 on from the sooner-than-later dept.

bsdbigot asks: "I started getting a bunch of stock-tout spam in the last month or so. The other day, I happened to look and see it was coming in to an email address I had dedicated to my online trading account account. I've spoken to the online trading company, and I've given them the info on these spams. It turns out there is an 'ongoing investigation,' which includes 'outside agencies,' but they stop short of saying that there is any theft or breach. How soon should such a company let its customers know that their data has been compromised? Should they wait until they have all the details and have plugged the breach, or should they let customers know that there is a possible problem as soon as they recognize it?" "Personally, I believe a security breach has occurred. So, I asked them how many people are affected by this; they feel certain that it's an isolated problem, because they haven't received a deluge of complaints. They don't know how these spammers got my reserved email address from my online broker (but they didn't sell it, they are quite clear on that), so how can they be so certain it's not their entire database, and how can they be so sure that things like my SSN and bank routing information wasn't also stolen?"

23 of 137 comments (clear)

  1. Do more by omeomi · · Score: 3, Insightful

    They should do more to keep it from happening in the first place. Seriously, there's a new breach at some major corporation or government office every other week or so. It's ridiculous.

    --
    ZuluPad, the wiki notepad on crack
    1. Re:Do more by bky1701 · · Score: 2, Funny

      Damn software pirates stealing data!!!!1!111!11one

      --
      Great Intellect...
    2. Re:Do more by AusIV · · Score: 3, Insightful

      That's easy to say, but it's really not so simple. Some data leaks happen because of software issues. More likely an employee figured they could make a buck selling data. Hiring more trustworthy employees requires paying more money, and that has to get passed on to the customers, who in turn take their business somewhere cheaper and less trustworthy. Customers want security, but they're not willing to pay a little extra for it.

    3. Re:Do more by omeomi · · Score: 3, Insightful

      Hiring more trustworthy employees requires paying more money, and that has to get passed on to the customers, who in turn take their business somewhere cheaper and less trustworthy

      For companies and agencies that have to have highly sensitive information like SSN's on file, there should be an exceptionally small number of people who have access to that information. A small enough number that I can count them on one hand. And none of those people should ever be allowed to take any portion of that list out of the system in any way, not on a thumb drive, not on a laptop, nothing. The vast majority of the employees should only be able to access the last 4 numbers of any given person for varification purposes.

      --
      ZuluPad, the wiki notepad on crack
    4. Re:Do more by houghi · · Score: 3, Insightful
      For companies and agencies that have to have highly sensitive information like SSN's on file

      First start with the fact wether or not the company needs the SSN or not. When in doubt, the answer is no.
      employees should only be able to access the last 4 numbers of any given person for varification purposes.

      It is a Social Security Number, not a Person Verification Number. If you use it for anything else then for Social Security reasons, you do not need to get it in the first place.
      The best way not to loose the data or be tempted to sell it is not to have it.
      --
      Don't fight for your country, if your country does not fight for you.
    5. Re:Do more by The+Snowman · · Score: 2, Informative
      Try it next time you sign up for a bank account.

      Your bank reports capital gains on your accounts to the IRS. They need your SSN. If you don't give it to them, they probably won't give you an account.

      --
      24 beers in a case, 24 hours in a day. Coincidence? I think not!
    6. Re:Do more by The+Snowman · · Score: 2, Interesting
      Very true, yet you get a drug test but how many firms do a background or credit check on everyone who comes in contact with the data? Are your contractors liable?

      Employees and contractors coming in contact with money, financial data (of which SSN is one piece), and any other customer data should be bonded. That is not a perfect solution, but a good first step. Try working in a bank branch without being bonded -- probably not going to happen. Banks know there's a lot at risk (and the government probably requires it anyway), and they want the employees to be accountable for their actions.

      --
      24 beers in a case, 24 hours in a day. Coincidence? I think not!
  2. Safe/sorry by sporkme · · Score: 4, Informative

    Lock it down. Cancel the email account and have any attached credit cards cancelled/changed. Change your checking account number. Keep thorough records and dig to find recent bank statements, etc. This can be a huge hassle.

    File complaints with the federal and your state Attorney Generals against the trading company immediately. Consider a 6-month paid monitoring service from a major credit reporting bureau. Both the feds and your state will have advisory hotlines. IANAL and slashdot is not the place you want to go for this kind of information. Basically, don't fsck around if you think anything has been compromised.

    I've been there, and these steps cost me a few dollars but saved me tens of thousands. Overseas types are pretty damned creative with your numbers. paranoid != not out to get you.

    --
    FairTax baby!
  3. Plug the hole first by ShaunC · · Score: 3, Interesting
    Should they wait until they have all the details and have plugged the breach, or should they let customers know that there is a possible problem as soon as they recognize it?
    If there's actually a security situation, I'd rather they plug the hole first prior to making an announcement.

    As soon as it becomes public knowledge that they've got a vulnerability somewhere, the number of people poking around their interface attempting to stumble upon that hole (or other ones) will skyrocket. Better to fix known problems before they essentially invite the community to look for chinks in their armor. That said, as soon as any known holes are patched, they should inform the affected users; or, if they can't determine whose information was nabbed, they should alert all of their customers.

    Keep in mind that no matter how suspicious the circumstances, unless you use that email address solely for your brokerage account, there's really no way to prove a connection unless the company admits it. A friend of mine started playing online poker, used his email address to sign up for the site, and doesn't get any poker spam. A week or so later, his wife started getting a ton of poker-related spam at her email address. It's just a coincidence, though it's about impossible to convince her of that.

    I've seen a huge uptick in stock spam lately, across the board (I have a number of email accounts and only one of them is tied to a brokerage). Maybe you're just on the same spam lists :)
    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  4. How stupid is E*Trade? by Jah-Wren+Ryel · · Score: 5, Interesting

    Here's my story, it meanders off-topic but I think it is worth posting as an example of another kind of data breach, one caused by corporate greed:

    Like the article-poster I'm one of those guys who uses individualized addresses for each online entity they deal with, as in slashdot thinks my email is slashdot@mydomain.com, amazon thinks it is amazon@mydomain.com and etrade thinks it is etrade@mydomain.com - those examples are simplified for illustrative purposes.

    A while back, before the bubble burst, I dabbled in some options trading in my etrade account. Therefore, Etrade's marketing department decided that would make my contact information something they could sell to the CBOE and I started getting bi-weekly spam from somebody on behalf of the CBOE trying to sell me all kinds of bullshit options information -- all sent to my etrade-only address.

    After about a year of that crap, it finally stopped on its own. But then I started to get spam from the same mailing-list operator that the CBOE had used, but this time they were promoting other brokerages like TD Waterhouse, and most recently "TradeKing" which seems very questionable.

    Whenever I get one these brokerage spams, I have to laugh. Etrade breached my privacy to make a buck or two and I'm sure they did the same thing to tens of thousands of other customers. But the end result is that their competition now has a confirmed mailing list of etrade customers, and the stupid greedy bastards GAVE it to them.

    I've since opened an account with TD Waterhouse (aka Ameritrade) and make most of my trades through them, in part because of etrade's callous treatment of my privacy. I wonder how many others have done the same...

    --
    When information is power, privacy is freedom.
    1. Re:How stupid is E*Trade? by (H)elix1 · · Score: 4, Informative

      And for those who can't run their own email servers, a handy trick for those using a gmail account is to add a '+' to the user name, and it will deliver. Say I had a gmail account called slashdot@gmail.com. I could email slashdot+etrade@gmail.com and it will resolve to the slashdot@gmail.com address. Very handy for finding out who is being bad with privacy information when they ask for an email address.

      --
      +++ UGUCAUCGUAUUUCU
    2. Re:How stupid is E*Trade? by jfengel · · Score: 2, Insightful

      I would expect that a spammer would automatically strip out anything after the +, but I don't have any experimental data on that.

    3. Re:How stupid is E*Trade? by ptbarnett · · Score: 2, Interesting
      Like the article-poster I'm one of those guys who uses individualized addresses for each online entity they deal with [....]

      I do the same thing. So, I'll get to the point quickly...

      The email address that I use for my Hertz rental membership has been distributed to spammers, twice. The first time, I sent a complaint and after a while I got a patronizing response about how it couldn't be them, and was instead someone else to whom I had given the address. It must have been a form response, as I had already explained that it was an address I had given only to them. I sent a second and rather strident message, repeating that they were the only company that had the email address in question, and that if they didn't want to be black-listed by my company's travel agent, they would do something beside blow me off.

      I got a relatively quick response the second time, apologizing for their mistake and a further explanation about how they were pursuing the spammers in court to determine the source of the leak. I apparently wasn't the only one that followed up with a similar message, because I subsequently got spam addressed to hertz@mydomain, hertz@anotherdomain, hertz@yetanotherdomain and so on -- for about a dozen similar addresses. I changed the address on my car rental profile to another address, and again started getting spam a few years later. Since my profile is accessible to any agent with a terminal at a Hertz rental office, spammers can probably always find someone that is willing to make a few bucks.

      But, I've always wondered: how secure are ISPs? For a while, every article about "Carnivore" made the front-page of Slashdot. Forget the feds for a moment: how difficult would it be for a network technician to configure a router/switch and modify an open-source network sniffer to snatch email addresses from the stream of email going to/from their customers -- and keep it hidden from anyone else that isn't in on it?

  5. Comment removed by account_deleted · · Score: 2, Insightful

    Comment removed based on user account deletion

  6. Are we talking about Ameritrade? by SysKoll · · Score: 3, Informative

    "I started getting a bunch of stock-tout spam in the last month or so. The other day, I happened to look and see it was coming in to an email address I had dedicated to my online trading account account. I've spoken to the online trading company, and I've given them the info on these spams. It turns out there is an 'ongoing investigation,'

    Is the trading company called Ameritrade by any chance? They got a leak problem, maybe an insider job. Look at this thread on spamgourmet (an anti-spam site that I help with): http://bbs.spamgourmet.com/viewtopic.php?t=81&star t=60

    --

    --
    Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/

    1. Re:Are we talking about Ameritrade? by dangitman · · Score: 2, Funny
      [spamgourmet.com]

      Damn, I went there looking for recipes. Please stop using misleading domain names.

      --
      ... and then they built the supercollider.
  7. As stupid as Ameritrade by DuctTape · · Score: 2, Informative
    I've since opened an account with TD Waterhouse (aka Ameritrade)...

    Ameritrade/TD-W also let its email addresses out, too. My specifically-for-Ameritrade email address got vanilla (same type as my other accounts; not investing at all) spam. So I changed it. Again.

    DT

    --
    Is this thing on? Hello?
  8. certain laws may apply by sharp-bang · · Score: 2, Informative

    In the banking industry, the applicable regulation is fairly strict... the institution must "promptly" notify customers of a material breach and there are relatively few loopholes. So if your broker or whoever was part of a bank, then this would apply. However, if your e-mail address was all that was compromised, they don't really need to notify you. By definition, e-mail addresses are not private information, any more than your physical address is. A number of states, notably California, have privacy laws that can be invoked, but the trigger for a material breach is usually the compromise of a combination of personal identifying data such as name and address (including e-mail addresses) and sensitive nonpublic personal information such as login credentials, account numbers, etc. You might see whether there is a law in your state that applies.

    --
    #!
  9. Are they incorporated in California??? by soren42 · · Score: 2, Interesting

    So, according to Bill AB 424 in the Great Sovereign State of California, any company negligent in the protection of customer identity data must immediately inform the offended party upon being made aware of the breach.

    I understand that there have been several attempts to leverage that law on behalf of US citizens who can't afford to live in California (us poor, ol' east coast folks!) to require major corporations transacting any business in California to immediately disclose based on that law.

    I'm sure there's jurisdictional issues, but there's at least some chance in hell that virtue jurisprudence will prevail.

    Anyone with an actual Litt.D, SJD, or otherwise more qualified care to add fact to my hype and speculation? :)

    --

    "Adventure? Excitement? A Jedi craves not these things."
  10. priorities by macadamia_harold · · Score: 3, Funny

    How soon should such a company let its customers know that their data has been compromised?

    that depends, how long does it take to finance a new ferrari and a yacht to ship it out of the country?

    --
    Push Button, Receive Bacon
  11. Notify Immediately by ErichTheWebGuy · · Score: 2, Interesting

    I bought a CD from an online store a few years back. They got hacked, and customers' credit card numbers were stolen. I got a call that same day from the store, saying that they were aware of a problem and that I should take measures to protect myself. I really appreciated that. I have gone back to them several times, because of their honesty with me, and also because of the borderline-paranoia about security that follows a successful attack/theft.

    --
    bash: rtfm: command not found
  12. ANSI and BBB Standards by joeflies · · Score: 2, Informative
    Although this was JUST announced a few weeks ago, ANSI and the Better Business Bureau are setting up a working group to define standards and best practices for how to address identity theft. The scope is to first catalogue what standards and best practices exist, and then go beyond and define what else needs to be documented.

    Whether or not this results in the answer to your question (how long notification should be given), at least this is a step in the right direction for some centralized thinking instead of everyone doing it on their own.

  13. Re:Maybe YOU were hacked by Asic+Eng · · Score: 2, Informative

    The trading company might also have given out the address voluntarily (and now doesn't want to admit to that) or it could be a lucky guess of the spammer (maybe a dictionary attack of sorts). I know they used to try use commonly-used nicks on my domain for a while. (Then I turned the catch-all off...)