Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Privacy

Ameritrade Customer Data Lost 324

Posted by CmdrTaco from the it's-going-to-get-worse-before-it-gets-better dept.
Rollie Hawk writes "Continuing the recent trend of customer data blunders in the news, Ameritrade has announced the loss of the personal data of up to 200,000 customers. The suspected cause is a routing error, but not the network kind. The online discount broker admitted that a backup tape of customer account data from 2000 to 2003 has been misplaced. They claim the cause is an error on the part of a shipping company. The tape was identified as missing in February, soon after being shipped. According to spokeswoman Donna Kush, nothing suspicious has been reported. Further blaming the shipping company, she explained that "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor." It's doubtful that current and former customers with exploited information will care how this occurred. She further claimed that Ameritrade "has every reason to believe" that the tape has either been destroyed or is being held by the shipper. There's no word yet on how they arrived at this conclusion."
This discussion has been archived. No new comments can be posted.

Ameritrade Customer Data Lost More

Ameritrade Customer Data Lost

Comments Filter:

  • Data loss... or ... data collection? (Score:5, Interesting)

    by rsborg ( 111459 ) on Wednesday April 20, 2005 @11:53AM (#12293529) Homepage
    Maybe I'm wandering into tinfoil-hat territory here, but what's with this recent spate [slashdot.org] of customer [slashdot.org] data loss [slashdot.org]? I mean, holy hell.. there's been something like several millions of records of customer data being reported as "lost" or "stolen" lately... is someone [epic.org] trying to collect data on everyone surreptitiously?

    I mean, it's probably more likely that some law got passed in the past few years that's forcing companies to highlight all these incidents of compromised data, but it seems pretty spooky that we just recently hear about all these stories...

    • Re:Data loss... or ... data collection? (Score:5, Insightful)

      by stinerman ( 812158 ) on Wednesday April 20, 2005 @11:58AM (#12293606)
      A comment on one of those stories considered that a lot of this data theft/loss has to do with the fact that many companies (Choicepoint) are collecting data on people who are not their customers. There is no incentive for those businesses to keep the data safe.

      As far as customer data loss, it could be any number of factors. I think a lot of it has to do with lax security policy at some of these businesses. Perhaps after this round of scares, others will step up their security.
      • There is no incentive for those businesses to keep the data safe.

        No incentive?! There's a HUGE stack of negative PR that says you're wrong. Granted, Choicepoint may or may not have considered this before hand, but they've been raked over the coals over this issue (justifyably so). I'd bet that nearly every customer of Choicepoint is wondering if their data is safe.

        • Re:Data loss... or ... data collection? (Score:5, Insightful)

          by stinerman ( 812158 ) on Wednesday April 20, 2005 @01:18PM (#12294454)
          I'd bet that nearly every customer of Choicepoint is wondering if their data is safe.

          It went way over your head.

          Choicepoint is little more than a data aggregator. Choicepoint's customers are people who buy the information they collect on people like you. You are not a customer of Choicepoint even though your information is what they are selling. They have no incentive to keep your data safe because you aren't their customer.
    • This is possible. However, the Ameritrade privacy policy [ameritrade.com] states that they can share personal information of clients with non-affiliated business to improve quality of service. The only thing preventing this from happening is an option that clients can request to not have their information trade with non-affiliates. I don't see any reason to pretend to 'lose' customer data, when you simply sell it legally.

    • Re:Data loss... or ... data collection? (Score:5, Informative)

      by Daedala ( 819156 ) on Wednesday April 20, 2005 @12:08PM (#12293719)
      This isn't a recent spate of customer data loss. It is, as you note, a recent spate of customer data loss reporting. It's mostly due to California Civil Code 1798, [harp.org] formerly known as State Bill 1386. Before we were just quietly leaking like a sieve; now we know we are.

    • Re:Data loss... or ... data collection? (Score:5, Insightful)

      by jd ( 1658 ) <imipakNO@SPAMyahoo.com> on Wednesday April 20, 2005 @12:10PM (#12293754) Homepage Journal
      California did pass a law requiring the reporting of incidents. It is unclear if this has anything to do with the reports, other than these reports all came out afterwards.


      At least two companies have increased initial estimates of data loss by an order of magnitude, which means at least one incident does indeed involve between one to two million records.


      It is reasonable to assume that these companies are not any less concerned about security than others. If we assume, then, that these incidents are on a national basis rather than just in California, between fifty million to a hundred million records holding sensitive personal data are at risk or have been compromised. Between a third to a sixth of the entire population of the US.


      At this point, the existing system is broken enough as to be unsafe. No matter what is done to it, up to a third of the population will remain at significant risk. That, to me, is unacceptable.


      The "best" method may be to place a requirement that all future systems with confidential or sensitive data be locked down and secure, with extremely limited, controlled access. And 100% liability if standards are not met. After that legislation is in place, change the format of Social Security numbers to deliberately break all existing systems, forcing an upgrade.


      Yeah, that's going to be a pain to a lot of businesses. But as the problem was caused by the deliberate recklessness of said businesses in the first place, it is hard to be too sympathetic.

    • I mean, it's probably more likely that some law got passed in the past few years that's forcing companies to highlight all these incidents of compromised data, but it seems pretty spooky that we just recently hear about all these stories...

      Sarbanes-Oxley Act (SOX) of 2002. [aicpa.org] This act was a response to the corporate/financial malfeasance of Enron and Worldcomm. Every publicly traded company is required by law to have SOX controls in place, with corporate executives asses (and financial fines to the company)

    • I mean, it's probably more likely that some law got passed in the past few years that's forcing companies to highlight all these incidents of compromised data, but it seems pretty spooky that we just recently hear about all these stories.

      Ah, this type of stuff has been going on forever. The only new thing about it though is now people out side of company IT departments know that the data was misplaced/lost/stolen and it is reported in major newspapers now. I like having this information in the news. In th

  • Question (Score:5, Insightful)

    by elid ( 672471 ) <eli.ipod@g m a il.com> on Wednesday April 20, 2005 @11:54AM (#12293544)
    If date is being transported via a 3rd party carrier, wouldn't it make sense to encrypt the data first?

    • Re:Question (Score:3, Insightful)

      by AviLazar ( 741826 )
      How do you know the data was not encrypted? I read the article, I do not recall seeing anything about encryption.
    • I'll come back and ask you how you're getting on in a month or two.

      • 1. There are algorithms that are designed for realtime encryption, i.e. twofish. 2. There is special hardware that can perform encryption/decryption much more efficiently than your general-purpose CPU. Just because microsoft backup doesn't support encryption doesn't mean that any serious backup software won't do it. If your backup software/system doesn't support encryption, it was designed for home-users (despite what it claims). When the market demands encryption, software vendors will step up. Or may

    • Re:Question (Score:5, Interesting)

      by soconnor99 ( 83952 ) on Wednesday April 20, 2005 @12:27PM (#12293962)
      The data was encrypted. According to Ameritrade (my broker), special hardware is required to read the information, even if the tape was found.

      All this information was sent in a letter last week.

      As a customer, I feel it was nice for them to keep me in the loop, but I don't feel the least bit threatened.

      Pretty much every company I've ever worked for uses some sort of courier service to move backup tapes off site. If something happens with that courier, after every reasonable precaution was taken by Ameritrade (which it certainly appears it has), it's pretty much out of their control.

      They said what's happened, and what they think the exposure is. What else would you have them do, not send their backup tapes offsite?
      • Not quite what the Ameritrade person was quoted on CNN [cnn.com]:
        In addition, she said, the missing back-up tape contained compressed data that would require very advanced computer systems to access.

        Compressed != Encrypted

      • Re:Question (Score:4, Insightful)

        by NMerriam ( 15122 ) <NMerriam@artboy.org> on Wednesday April 20, 2005 @12:50PM (#12294200) Homepage
        The data was encrypted. According to Ameritrade (my broker), special hardware is required to read the information, even if the tape was found.

        Yeah, but that could just be marketing-speak for "you need a $2,000 tape drive to read the tape". Of course you need special equipment, the question still remains as to whether or not the data was encrypted on the fly during backup, or if it is stored as such and backed up in the same state. I would NOT consider it acceptable for a financial services company to ship around huge volumes of unencrypted customer data via third parties.

        All that said, this is about the only recent customer data loss that in theory I find "acceptable", just because there are not a lot of practical ways to move backups to the opposite coast, and Fedex is a pretty typical choice. Fedex losing a package is rare, but it does happen -- not a lot Ameritrade can do about it.

        Yes, I am an Ameritrade customer, but haven't received a letter so I assume (!) that means I wasn't on that backup tape.

      • Re:Question (Score:5, Funny)

        by Politburo ( 640618 ) on Wednesday April 20, 2005 @12:52PM (#12294224)
        According to Ameritrade (my broker), special hardware is required to read the information

        That's correct. The tape is unreadable with human eyes.
    • Apparently it was compressed an encrypted which is partly why they feel the data would be difficult to use.

    • Re:Question (Score:3, Interesting)

      by Greyfox ( 87712 )
      Most IT companies out there don't really understand encryption and to learn how to do it would be "too hard." That's because most of them are managed by Barbie.

      For example, the various banks, credit card companies and other institutions that might E-mail you COULD adopt a policy of signing all messages with a PGP key, the public portion of which would be available on their web page. However if you compare the billions of dollars lost each year to the 20 minutes it'd take them to learn how to use PGP, you'

  • Luckily.. (Score:5, Funny)

    by ShaniaTwain ( 197446 ) on Wednesday April 20, 2005 @11:54AM (#12293546) Homepage
    Luckily it was insured against loss and Ameritrade will be recieving a check for $100 dollars!

    oh HooRay!

  • actually.... (Score:3, Insightful)

    by AviLazar ( 741826 ) on Wednesday April 20, 2005 @11:55AM (#12293547) Journal
    It's doubtful that current and former customers with exploited information will care how this occurred.

    While I would be upset if this was my personal information, if Ameritrade did what they were supposed to do (as in ensuring the shipping company was a decent company) then I would not be so uptight about the situation. People like to scream, shout and vent. Shit happens. If someone was grossly at fault they should be flayed, if it was a pure accident (as such things happen) well it is what it is.

    • Re:actually.... (Score:3, Interesting)

      by rsborg ( 111459 )
      People like to scream, shout and vent. Shit happens. If someone was grossly at fault they should be flayed, if it was a pure accident (as such things happen) well it is what it is.

      Great, next time I lose some important info that could compromise someone else's credit security, I'll just claim it's an "accident" and that "Shit happens".

      Seriously, people would care if they

      • knew what data had been lost (were they SSN/name combos? Trade information? Bank routing info for transfer?)
      • Whether their had been affec
      • No, you are taking my words out of context. Next time read, comprehend and try not to just spout words to attempt to make a point. Again to reiterate: "If someone was grossly at fault they should be flayed," See this is blaming and punishing the parties who showed negligence. Now to continue "if it was a pure accident (as such things happen) well it is what it is", see this shows that accidents happen and nobody is at fault. Such things could happen from glitches in the tracking system, mother nature

        • Re:actually.... (Score:3, Insightful)

          by rsborg ( 111459 )
          Now to continue "if it was a pure accident (as such things happen) well it is what it is", see this shows that accidents happen and nobody is at fault. Such things could happen from glitches in the tracking system, mother nature, vandals/thieves, etc. While a company should try and minimize negative effects to their clients, bad things happen even when people take proper precautions.

          Bullshit. If BAD STUFF HAPPENS, even if it's an accident, then someone should be held liable (Think Exxon Valdez... they had

    • Re:actually.... (Score:5, Funny)

      by The Slashdolt ( 518657 ) on Wednesday April 20, 2005 @12:27PM (#12293955) Homepage
      Dear Sir,

      Recently, we were sending all of the money in your account to another branch and, well, it got lost on the way. Sorry, shit happens.

      Sincerely,
      Your Bank

      • Interstingly enough, if you deposit a check at an ATM, and they lose it (maybe a windy day) when unloading the stuff, they aren't liable. This is why I always give deposits to a real person.
        (yeah, you could get a replacement check from the payer, but that isn't always easy...)
    • I hope if I get into a car accident, I get into an accident with someone like you. 'It was just an accident.' 'Oh, okay then, no problem. Shit happens.'

      Someone was grossly at fault. They shipped unencrypted data via a shipping company.

  • In Other News (Score:5, Funny)

    by ackthpt ( 218170 ) * on Wednesday April 20, 2005 @11:55AM (#12293560) Homepage Journal
    HOLLAND, MI (OOP) OSTG has revealed that member data for Slashdot.org, an online technical news site, has been compromised. "At first we thought it was only a network error, until we noticed trends in trolling and moderation making little sense," said Rob Malda, who goes by the nickname of CmdrTaco and was one of the sites founders. "Posts which were clearly uninformative, insightful or interesting were receiving high marks, while better pieces were completely ignored." Further, Malda indicated the loss may have been as high as 100,000 ids and passwords. Which in the wrong hands could tip the opinions of nerds and geeks the world over. In early hours of trading the NASDAQ plummeted 11% on the news and downtown Holland, Michigan was in flames as a mob of panicking and angry posters went on a rampage, before sating itself on chocolate covered espresso beans at the Rocky Peanut Company and pausing to "ooh and ahh" at shiny things in the local Radio Shack window or gaze longingly at the poster for the upcoming Star Wars: Episode III, Revenge of the Sith outside the local theater. Said Holland mayor, Albert H. McGeehan, "Well, isn't this a fine kettle of tulips!" At press time OSTG had not returned any calls on the matter.

  • Yeah it's nasty but it is this stuff news ? (Score:2, Informative)

    by Anonymous Coward
    This is happening all the time now. Here's another:

    http://news.bbc.co.uk/1/hi/business/4444477.stm [bbc.co.uk]

  • How much longer until personal data gets protected (Score:3, Interesting)

    by Skyshadow ( 508 ) * on Wednesday April 20, 2005 @11:55AM (#12293566) Homepage
    Once again, let me suggest that it may be time to legislate significant penalties for companies and/or individuals who are careless with personal data.
    • the only solution is the eradication, entirely, of the notion of 'personal data'. by that, i mean: you personally should be recording everything, not just the company. both sides should have their full records, for there to be 'fairness'.

      until there is such a common, accepted, standardized practice, there will always be a mis-balance of corporate-Entity(knowledge of individuals) versus indepent-Entity(knowledge of corporate state). the reason we hate big brother is because we have no control over him; w

  • As an Ameritrade customer I'd be worried... (Score:4, Funny)

    by Anonymous Coward on Wednesday April 20, 2005 @11:56AM (#12293573)
    Thankfully, all my tech stocks have tanked and there are no more assets to attack. As a matter of fact, I'm more likely to get sued by identity theives for ruining their reputations and credit ratings.

  • Compressed Data Secure? (Score:2, Funny)

    by Anonymous Coward
    My favorite:

    "the missing back-up tape contained compressed data that would require very advanced computer systems to access."

    http://money.cnn.com/2005/04/19/technology/amer i tr ade/

    Note she did not say encrypted. Modern tape software is often intelligent enough to recognize not only its own compression algorithms, but also formats and algorithms used by other vendors. Maybe Ameritrade thinks they are one of the only companies in the world utilizing LTO, or maybe LTO-2?
  • Technically someone is in possession of the tape until their is reason to believe otherwise.

  • News at 11, [insert company name here] loses data (Score:5, Funny)

    by lxdbxr ( 655786 ) * on Wednesday April 20, 2005 @11:57AM (#12293585) Homepage
    At this point, I feel it would be useful to have a list of major companies which have not lost hundreds of thousands of customer records.

    We could then refuse to do business with those companies on the grounds that they were obviously lying.

  • Ameritrade needs to fire their IT Director (Score:3, Insightful)

    by ip_freely_2000 ( 577249 ) on Wednesday April 20, 2005 @11:57AM (#12293587)
    "...Further blaming the shipping company, she explained that "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor."

    Ah, no.

    This is squarely the problem of Ameritrade management. Protection and recovery of backup data rests squarely with IT. There should have been a detailed process done in conjunction with a reliable shipper to ensure protection ( or perhaps a private courier ) of the tape.

    Yet another clueless corporation that has no sense of responsibility.
    • Even a "reliable shipper" or private courier can lose something. Or do you think there are shipping companies out there who have never lost a package?

      I agree the data probably should have been encrypted, but if this really was a shipping problem, I have a hard time blaming Ameritrade.
    • "This is squarely the problem of Ameritrade management. Protection and recovery of backup data rests squarely with IT. There should have been a detailed process done in conjunction with a reliable shipper to ensure protection ( or perhaps a private courier ) of the tape."

      So your suggesting that having done all this, they will never lose data? And protection and recovery rests squarely with IT?

      You're making a lot of assumptions. I am pretty sure they had a "detailed process" and used what they thought wa

  • American Century (Score:2, Informative)

    by Rob the Bold ( 788862 )
    Got a letter last week from American Century that 2 PCs had been physically stolen form the American Century office containing account information -- names addresses, balances, but no SSNs.

  • I'm an Ameritrade customer and I DO care how... (Score:4, Insightful)

    by samdu ( 114873 ) <samdu@@@ronintech...com> on Wednesday April 20, 2005 @12:00PM (#12293625) Homepage
    ...about how the data was lost. It's a little bit difficult to get angry about a lost package in the shipping process. It happens. It's always going to happen. It's rare, though. I'd be a little pissed off if this was due to a network breach at Ameritrade. As it is, I'm not too concerned. So, yeah, it DOES matter how the data was lost.

  • Not Ameritrade's Fault? (Score:3, Insightful)

    by lbmouse ( 473316 ) on Wednesday April 20, 2005 @12:02PM (#12293659) Homepage
    Further blaming the shipping company, she explained that "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor."

    No, it's an Ameritrade-picking-a-bad-vendor issue. It is still ultimately Ameritrade's fault.

  • An Epidemic? (Score:5, Informative)

    by WhiteBandit ( 185659 ) on Wednesday April 20, 2005 @12:05PM (#12293690) Homepage
    So I've been creating a list of all the major cases I've heard about in 2005. Nearly 1.3 million people have been affected so far this year. Of course now Slashdot won't let me post the information because I have "too few characters per line."

    I originally posted an expanded version of this list on my blog [rockbandit.net] to start keeping track of everything.

    Here is basically what it looks like:
    Date: 04-18-2005
    Name of Organization: Ameritrade
    How: Lost backup tape with shipping agency
    People Affected: 200,000
    Link: http://money.cnn.com/2005/04/19/technology/ameritr ade/ [cnn.com]

    Date: 04-14-2005
    Name of Organization: Polo Raplh Lauren - Mastercards
    How: "Security Breach" - Hackers
    People Affected: 180,000
    Link: http://www.sfgate.com/cgi-bin/article.cgi?file=/n/ a/2005/04/14/financial/f064639D31.DTL [sfgate.com]

    Date: 04-08-2005
    Name of Organization: San Jose Medical Group
    How: Stolen Laptop
    People Affected: 185,000
    Link: http://www.sfgate.com/cgi-bin/article.cgi?f=/news/ archive/2005/04/08/financial/f115753D39.DTL [sfgate.com]

    Date: 03-29-2005
    Name of Organization: UC Berkeley
    How: Stolen Laptop
    People Affected: 98,000
    Link: http://sfgate.com/cgi-bin/article.cgi?file=/c/a/20 05/03/29/BAG3MBVSFH1.DTL [sfgate.com]

    Date: 03-26-2005
    Name of Organization: Northwestern University
    How: "Security Breach" - Hackers
    People Affected: 21,000
    Link: http://www.chicagotribune.com/technology/ [chicagotribune.com]
    chi-050 3260274mar26,1,5138021.story?coll=chi-technology-h ed&ctrack=1&cset=true

    Anyway, this is definitely getting ridiculous and out of hand. And it seems we're pretty much helpless to control it as well. When are a lot of these companies going to stop requiring valuable information like social security numbers and such?
    • http://www.firstcoastnews.com/news/georgia/news-ar ticle.aspx?storyid=35796

      "ATLANTA (AP) -- D-S-W Shoe Warehouse officials estimate that thieves stole one-point-four million credit card numbers."

    • Delete the linefeeds - HTML doesn't use them, and it bypasses the lameness filter. At least two estimates have gone up by a factor of 10, suggesting that many of the reports so far are underreporting. Most reports are in California, due to State law. There are 50 States, and no reason to assume California is worse than the others. Indeed, as it has a high density of techs, it might actually be doing better.

      A back-of-the-envelope calculation suggests that the "true" figure for compromised data may be as hi

    • Nearly 1.3 million people have been affected so far this year

      While this may be a reasonable estimate, simply adding the numbers of people affected from each case may overstate the problem. There's bound to be some overlap between all the databases.

    • You should include the date reported as well as the date(s) of the incident and the date of discovery. You should also explain what data was lost (SSNs, CC#s, credit info, medical info, etc.) and whether there are any know uses of the stolen data. (I'd also include a likelihood ranking of whether the data will/could be used. For this incident, I'd give it a very low likelihood.) You should include the recent DSW incident, and probably ChoicePoint. (The ChoicePoint incident was discovered in October 2004, bu
    • You missed the George Mason incident earlier this year. Maybe that was only tens of thousands of records though.

      ~D

  • Backup Tapes should always be encrypted (Score:3, Insightful)

    by workerbeedrone ( 323535 ) on Wednesday April 20, 2005 @12:07PM (#12293702)
    There is no excuse not to encrypt all backup tapes anymore where sensitive data is involved. There are appliance-style products out there specifically for encrypting tape backups, if you can't figure out another way.
    And I'm sure there are plenty of SW solutions also.

    This kind of crap has been happening too often.
    I hate to say we need a law, but we need a law.
  • doesn't mean they haven't lost it, but failed to report it in such a way that the media passed it on.

    We're dealing with a very small subset of firms that have either been forced to admit, or have voluntarily admitted, data loss of customer records and personal data collected either with or without permission.

    The number of firms that haven't admitted it, but have had it happen, is a LOT bigger.

  • Responsibility (Score:3, Insightful)

    by derfel ( 611157 ) on Wednesday April 20, 2005 @12:11PM (#12293758)
    I work for a company that designs and builds devices used in the medical industry. If we use a third party for hardware or software, we have to verify and vouch for that software. If a patient gets hurt because some 3rd party app did something wrong, the 3rd party doesn't get sued, we do. It should be the same for personal data. Ameritrade should have made sure the data was secure, whether it was in their hands or not. If anyone's identity gets stolen, or they get ripped off in any other way, Ameritrade should be liable for the loss plus damages! As should all of the other companies that are losing personal data.

  • Ameritrade Customer Service (Score:5, Interesting)

    by kid_wonder ( 21480 ) <[slashdot] [at] [kscottklein.com]> on Wednesday April 20, 2005 @12:14PM (#12293792) Homepage
    Just gave them a call to close my account and I must say that they (or at least the person I talked to) was well versed on the talking points from the press release.

    1) Blame third party
    2) Data is not lost, we just don't know where it is
    3) There has been no evidence of the data being used

    The woman I spoke with was pretty adamant about making these points and really tried to keep me from closing my account.

    I am not sure if this sort of revelation usually results in a significant loss of business or not, but it would appear they were well prepared to rebut peoples concerns.

    • Re:Ameritrade Customer Service (Score:4, Funny)

      by garcia ( 6573 ) * on Wednesday April 20, 2005 @12:24PM (#12293918)
      2) Data is not lost, we just don't know where it is

      And that's when you tell them that just because it's 4/20 does not mean they can be high at work.

    • sheesh (Score:3, Interesting)

      by tuxette ( 731067 ) *
      1) Blame third party

      "I don't do business with companies that cannot and will not take responsibility for what happens to its personal data (or whatever else). In the end, you are where the buck stops. Not the shipping company that you contracted."

      2) Data is not lost, we just don't know where it is

      "If you don't know where it is, then it is..." *drumroll*

      3) There has been no evidence of the data being used

      "Not that you know of...or yet."
  • You ***ENCRYPT*** [and authenticate] your backups.

    So that even if you lose the media you don't leak the data...

    Of course you have to be a Community College grad to figure that out.

    I R SMRT!

    Tom
  • At a former financial employer, I didn't hesitate to put encryption into the backup system I designed for a particular product. You have to protect the data at every single failure point, including those of the "whoops, where did we put that tape?" kind.

  • FOR SALE (Score:3, Funny)

    by jchawk ( 127686 ) on Wednesday April 20, 2005 @12:18PM (#12293848) Homepage Journal
    One tape backup tape. Appears to be functional, bought from local shipping company at auction. :-P

  • Why do so many sites collect personal information? (Score:5, Informative)

    by amichalo ( 132545 ) on Wednesday April 20, 2005 @12:22PM (#12293907)
    I work with eCommerce for a living. Credit card processing requires the CC#, Exp date, CVV2 code (the digits on the back of the card) and the billing Zipcode.

    Why then must we supply name, address, phone number, email, and other personal information just to make a purchase? (obvious answer is for customer profiling and contacting post-sale.)

    I try to refuse to provide a SSN whenever I recocgize it isn't needed (like to establish an account at the local dry cleaners) but so often, employees become adjitated, as if I am trying to hide something.

    We as consumers need to do more to protect our own personal data from getting to 3rd parties in the first place.

    Now obviously Ameritrade needs such financial and personally identifying information for SEC and IRS compliance, but in that case, they should be required by an oversight body to protect that information.

    HIPPA [wikipedia.org] protects the privacy rights of US citizens healthcare information and has two very important rules:
    (1) information must be secured
    (2) only the minimal information may be collected when required and only the minimal information may be shared with those who require it.

    Why doesn't this exist for SSN, bank account numbers, etc?
  • Is it time for the USPSS system, or the UPSS system? You know, like HTTPS, but for the postal system or UPS. That way you can securely send your packages using the latest in cutting edge delivery security.

  • Argh! (Score:5, Insightful)

    by crimoid ( 27373 ) on Wednesday April 20, 2005 @12:25PM (#12293926)
    "this was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor."

    I'm so peeved when I see comments like this. When will people realize that when they hire a 3rd party vendor to complete a task they are not absolved of responsibility. This IS an Ameritrade Systems issue. They didn't encrypt their data. They didn't hire a responsible shipper. They still "own" the issue.

    I did technical account management for years. One thing our group was primarily responsible for was saying "Yes, this is our issue, we will see it to resolution". Even when the blunder was caused by a 3rd party, we owned it. It was our responsibility.
  • Adam: It was Eve's fault!
    Eve: It was the snake's fault!
    George Bush: It was the CIA's fault!
    Ameritrade: It was the third party vendor's fault!

    I don't know about you guys, but I see a trend here...

  • Tape? They're not allowed to use tape. (Score:4, Informative)

    by Animats ( 122034 ) on Wednesday April 20, 2005 @12:29PM (#12293987) Homepage
    Brokers aren't allowed to use magnetic tape. SEC Rule 17a-4, "Records to be preserved by certain exchange members, brokers and dealers" [complinet.com], requires write-once media.
    • (2) If electronic storage media is used by a member, broker, or dealer, it shall comply with the following requirements:

      (i) The member, broker, or dealer must notify its examining authority designated pursuant to section 17(d) of the Act (15 U.S.C. 78q(d)) prior to employing electronic storage media. If employing any electronic storage media other than optical disk technology (including CD-ROM), the member, broker, or dealer must notify its designated examining authority at least 90 days prior to employing such storage media. In either case, the member, broker, or dealer must provide its own representation or one from the storage medium vendor or other third party with appropriate expertise that the selected storage media meets the conditions set forth in this paragraph (f)(2).

      (ii) The electronic storage media must:

      (A) Preserve the records exclusively in a non-rewriteable, non-erasable format;

      (B) Verify automatically the quality and accuracy of the storage media recording process;

      (C) Serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media; and

      (D) Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under this paragraph (f) as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member.

    Brokers are required to use a storage medium where tampering is evident. Once that was bound ledger books written in ink. Later, it was bound books of computer printouts. Then it was microfiche. Today, it's CD-ROM or DVD-ROM. But not magnetic tape. Not even for backup.

    And if a securities firm outsources some of its back office operations, the outsourcing firm has to make certain filings with the SEC:

    • (i) If the records required to be maintained and preserved pursuant to the provisions of Sec.Sec. 240.17a-3 and 240.17a-4 are prepared or maintained by an outside service bureau, depository, bank which does not operate pursuant to Sec. 240.17a-3(b)(2), or other recordkeeping service on behalf of the member, broker or dealer required to maintain and preserve such records, such outside entity shall file with the Commission a written undertaking in form acceptable to the Commission, signed by a duly authorized person, to the effect that such records are the property of the member, broker or dealer required to maintain and preserve such records and will be surrendered promptly on request of the member, broker or dealer and including the following provision ...
    Ameritrade needs to address these issues. As a broker, they are not allowed to be casual about record-keeping.

    • Re:Tape? For backups yes (Score:4, Informative)

      by ihaddsl ( 772965 ) on Wednesday April 20, 2005 @12:48PM (#12294173)
      What you are quoting are the rules for archival storage of information (that is the rule that requires orginasations to store for 6 years data relating to their transactions for compliance purposes.) This does not apply to all information retained by brokers (but to specific transactional related data), and it most certainly does not apply to regular backup procedures

    • Hey (Score:2)

      by geekoid ( 135745 )
      there is a difference between backing up you data, and creating a permenant record.

  • Lost tapes (Score:2, Interesting)

    by Viceman001 ( 781135 )
    I lost our backup tapes once. I left them on top of my car when carrying them to the off site storage. Fortunately, or mabye unfortunately, when I went looking for them, I found that I had ran over them. User data safe, 6 dds4 tapes destroyed, huge ulcer from worrying about server crash on the day of incident.

  • Easy to restore (Score:3, Funny)

    by Dun Malg ( 230075 ) on Wednesday April 20, 2005 @01:20PM (#12294473) Homepage
    Even if they don't have backups it should be easy to get most of the info. Just send an email to their customers:

    Dear valued Ameritrade customer:
    Due to computers errors, we may have lost some of your informations. Please go to the following web site and verify your informations. Please do so as soon as possible or your account may be suspended. Thank you.

    http:/256.123.321.201/Ameritrade.html

Slashdot Top Deals

"Hello again, Peabody here..." -- Mister Peabody

Close