Ameritrade Customer Data Lost 324
Rollie Hawk writes "Continuing the recent trend of customer data blunders in the news, Ameritrade has announced the loss of the personal data of up to 200,000 customers. The suspected cause is a routing error, but not the network kind. The online discount broker admitted that a backup tape of customer account data from 2000 to 2003 has been misplaced. They claim the cause is an error on the part of a shipping company. The tape was identified as missing in February, soon after being shipped. According to spokeswoman Donna Kush, nothing suspicious has been reported. Further blaming the shipping company, she explained that "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor." It's doubtful that current and former customers with exploited information will care how this occurred. She further claimed that Ameritrade "has every reason to believe" that the tape has either been destroyed or is being held by the shipper. There's no word yet on how they arrived at this conclusion."
Yeah it's nasty but it is this stuff news ? (Score:2, Informative)
http://news.bbc.co.uk/1/hi/business/4444477.stm [bbc.co.uk]
American Century (Score:2, Informative)
An Epidemic? (Score:5, Informative)
I originally posted an expanded version of this list on my blog [rockbandit.net] to start keeping track of everything.
Here is basically what it looks like:
Date: 04-18-2005
Name of Organization: Ameritrade
How: Lost backup tape with shipping agency
People Affected: 200,000
Link: http://money.cnn.com/2005/04/19/technology/amerit
Date: 04-14-2005
Name of Organization: Polo Raplh Lauren - Mastercards
How: "Security Breach" - Hackers
People Affected: 180,000
Link: http://www.sfgate.com/cgi-bin/article.cgi?file=/n
Date: 04-08-2005
Name of Organization: San Jose Medical Group
How: Stolen Laptop
People Affected: 185,000
Link: http://www.sfgate.com/cgi-bin/article.cgi?f=/news
Date: 03-29-2005
Name of Organization: UC Berkeley
How: Stolen Laptop
People Affected: 98,000
Link: http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2
Date: 03-26-2005
Name of Organization: Northwestern University
How: "Security Breach" - Hackers
People Affected: 21,000
Link: http://www.chicagotribune.com/technology/ [chicagotribune.com]
chi-050 3260274mar26,1,5138021.story?coll=chi-technology-
Anyway, this is definitely getting ridiculous and out of hand. And it seems we're pretty much helpless to control it as well. When are a lot of these companies going to stop requiring valuable information like social security numbers and such?
Re:Data loss... or ... data collection? (Score:5, Informative)
Why do so many sites collect personal information? (Score:5, Informative)
Why then must we supply name, address, phone number, email, and other personal information just to make a purchase? (obvious answer is for customer profiling and contacting post-sale.)
I try to refuse to provide a SSN whenever I recocgize it isn't needed (like to establish an account at the local dry cleaners) but so often, employees become adjitated, as if I am trying to hide something.
We as consumers need to do more to protect our own personal data from getting to 3rd parties in the first place.
Now obviously Ameritrade needs such financial and personally identifying information for SEC and IRS compliance, but in that case, they should be required by an oversight body to protect that information.
HIPPA [wikipedia.org] protects the privacy rights of US citizens healthcare information and has two very important rules:
(1) information must be secured
(2) only the minimal information may be collected when required and only the minimal information may be shared with those who require it.
Why doesn't this exist for SSN, bank account numbers, etc?
Tape? They're not allowed to use tape. (Score:4, Informative)
(i) The member, broker, or dealer must notify its examining authority designated pursuant to section 17(d) of the Act (15 U.S.C. 78q(d)) prior to employing electronic storage media. If employing any electronic storage media other than optical disk technology (including CD-ROM), the member, broker, or dealer must notify its designated examining authority at least 90 days prior to employing such storage media. In either case, the member, broker, or dealer must provide its own representation or one from the storage medium vendor or other third party with appropriate expertise that the selected storage media meets the conditions set forth in this paragraph (f)(2).
(ii) The electronic storage media must:
(A) Preserve the records exclusively in a non-rewriteable, non-erasable format;
(B) Verify automatically the quality and accuracy of the storage media recording process;
(C) Serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media; and
(D) Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under this paragraph (f) as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member.
Brokers are required to use a storage medium where tampering is evident. Once that was bound ledger books written in ink. Later, it was bound books of computer printouts. Then it was microfiche. Today, it's CD-ROM or DVD-ROM. But not magnetic tape. Not even for backup.
And if a securities firm outsources some of its back office operations, the outsourcing firm has to make certain filings with the SEC:
-
(i) If the records required to be maintained and preserved pursuant to the provisions of Sec.Sec. 240.17a-3 and 240.17a-4 are prepared or maintained by an outside service bureau, depository, bank which does not operate pursuant to Sec. 240.17a-3(b)(2), or other recordkeeping service on behalf of the member, broker or dealer required to maintain and preserve such records, such outside entity shall file with the Commission a written undertaking in form acceptable to the Commission, signed by a duly authorized person, to the effect that such records are the property of the member, broker or dealer required to maintain and preserve such records and will be surrendered promptly on request of the member, broker or dealer and including the following provision
...
Ameritrade needs to address these issues. As a broker, they are not allowed to be casual about record-keeping.Re:OK, you try PGPing 15TB of data (Score:3, Informative)
Re:Tape? For backups yes (Score:4, Informative)
Re:actually.... (Score:3, Informative)
(yeah, you could get a replacement check from the payer, but that isn't always easy...)