Monday, September 17, 2007

Ameritrade's 6 million customers hit with security breach

A massive security breach - leaving millions of American vulnerable to greater identity theft - has TD Ameritrade Holding Corp. scrambling to explain how such a breach could happen, and why it allegedly took them so long to tell their customers that it had. According to the Associated Press:

Online brokerage TD Ameritrade Holding Corp. said Friday one of its databases was hacked and contact information for its more than 6.3 million customers was stolen. A spokeswoman for the Omaha-based company said more sensitive information in the same database, including Social Security numbers and account numbers, does not appear to have been taken.

The company would not share many details of its investigation, including when the hack took place, because it is still looking into the theft and cooperating with investigators from the FBI, Securities and Exchange Commission, Financial Industry Regulatory Authority and local authorities.

But Ameritrade has known about the problem at least since late May when two of its customers sued the brokerage in federal court because they were receiving unwanted e-mail ads on accounts used only for Ameritrade.

The data on Ameritrade’s servers may have been vulnerable for an extended period of time dating back at least to last October, according to the lawsuit filed by lawyer Scott A. Kamber.
The plaintiffs in the lawsuit had wanted the court to order Ameritrade to tell its customers about the data problem, but Ameritrade issued its release before a hearing could be held. The plaintiffs are also seeking damages and are trying to qualify as a class-action lawsuit.


END

The issue of data breaches, and corporate reluctance to inform their customers when one has occurred, relates to Friday's post detailing AB 779 (Jones), a bill awaiting Gov. Schwarzenegger's signature. If signed, the legislation would require retailers to reimburse financial institutions for the cost of fixing breached financial data, force greater disclosure of details about breaches, including a description of the categories of personal data that might have been compromised, and finally, it would explicitly prohibit retailers and other merchants from storing specific types of authentication data taken from the magnetic stripes on the back of credit and debit cards.

Blogger Ed Dickson gives some advice for anyone interested in learning more about the issue:

Privacy Rights Clearinghouse, PogoWasRight and Attrition.org all compile information on data breaches, which happen so frequently, they are becoming almost “too routine” news events. If anyone, who was has been affected by a data breach wants independent advice on what to do if you become an identity theft victim, the Privacy Rights Clearinghouse has a very informative page about this, here.

No comments: