They're "Vigilant" About Protecting Privacy
Just not vigilant enough. Ameritrade is the latest of the big companies to send out the "Whoopsy!" letter, as in "Whoopsy! Somebody may be having a hot time buying fur coats at Saks Fifth Avenue after hacking your Social Security Number out of our database."
Here's the letter I got:
And here's a Network World story about what looks to be a two-year-old cover-up on Ameritrade's part:
E-mails obtained by Network World show that Ameritrade received explicit and repeated warnings from an IT security expert starting Jan. 9, 2006 that its customer data had apparently been compromised, placing the start of the breach much earlier than previously reported and likely pushing it into 2005. Nevertheless, the company insisted for the next 20 months that a flood of stock-related spam being received by numerous clients was not indicative of a more serious problem.Following that January 2006 e-mail, subsequent warnings from multiple sources - including a column this May by my Network World colleague Mark Gibbs - also failed to prompt the company to alert its clients. Only last Friday did Ameritrade publicly acknowledge that "unauthorized code" on its systems had "allowed certain information stored in one of our databases, including e-mail addresses, to be retrieved by an external source."
More than 6 million customer accounts were exposed, although Ameritrade contends there has been no known identity fraud associated with the breach.
"I warned Ameritrade of a security breach in January of 2006, which means that it likely occurred in mid- to late-2005," says Joshua Fritsch, who sent the Jan. 9, 2006 e-mail and provided copies of his exchange with Ameritrade to Network World. Fritsch has 15 years of experience in networking, including "security design and management for a global financial firm."
Ameritrade stands by its decision to hold off on an earlier public notification.
"We didn't know how the information was getting out," company spokeswoman Kim Hillyer told me this morning. "We didn't know the scope of the issue."
Asked if prudence might have suggested an earlier alert - given the number of sources and the expertise of those warning the company, coupled with all the internal uncertainty - Hillyer fell back on her talking points and insisted there was nothing more they could have done.
Nothing more they could've done to protect themselves from bad PR, don'tcha mean? You mean, like how easily "Ameritrade" becomes "Scum-meritrade," after I've learned about their apparent coverup?
Scum-meritrade, Scum-meritrade...pass it on!
And for those of you who live in California, as I've urged before...security-freeze your credit already.
How high a price do you place on peace of mind? Or, if anybody commenting here has had their identity stolen, on what you've had to go through to fight it?
What I'd like to see is somebody who's had their identity stolen sue, not just to get creditors to remove false information about them from their credit file, but if they can trace the path back to some lax company like Ameritrade, TJ Maxx, or so many others, to take that company to court and make them pay!
link via Consumerist
Good luck with the lawsuits - - I couldn't even get the attorney trying to sue them NOW to call me back, hence the info dump to Network World. If the *attorneys* are that lazy, the common person has no chance at all.
Joshua Fritsch at September 21, 2007 10:39 AM
I got that letter too, and I didn't believe them that my data wasn't compromised. Fortunately, Texas just passed a security freeze law similar to California's.
I had my credit stolen a few years ago, in the worst way- theif used my information to open about half a dozen of their own accounts and go on a shopping spree. I had the shipping addresses, names, ect. The person used my home phone number on a credit app and provided my brother's name as a reference. I called the police in the tiny town the theif was addressed in- at a house rented in my name. The guy took his time, but eventually got by there on his way to lunch, probably, and was quite suprised to catch the bitch red-handed with a house full of crap I had itemized bills for and a platinum Mastercard in my name.
I check with him periodically, but the trial drags on, and he never has news. He said he would make it a contingency of any plea bargain that she cough up the source of her information on me. I found on my credit card bill a charge to the same tiny town at about the same time, for a book I bought, and I assume that's where she got my credit card number. I theorize that she worked at a credit card company, or knew someone who did, who ran a skip trace on me for her. If I ever manage to prove that's what happened, that company will be putting my kid through college.
Most of the fraudulent accounts just closed right up, took the info right off. The most I had to do was send a police report. I think they figure that it's the cost of doing business. I'm still dealing with Mcleaud, which I'd never heard of, but seems to be a phone company for deadbeats- they opened the theif's account after AT&T shut them down for nonpayment, and AT&T's shitty little collection agency- "Collection Company of America" out of California. I'm about to dispute those with the bureaus, but it's a huge pain in the ass, and I just haven't gotten to it.
Allison at September 21, 2007 11:19 AM
I forgot, she had a bank account on me for awhile, I was excited for a minute that I might could clean it out, but it was empty. Dang.
Honestly, I figure once I get my credit cleaned up, they'll recycle the number and do it again. She had crap delivered to five addresses. I'll have my credit frozen, but I'll bet you it won't make a bit of difference.
I guess I should have used my own blog here, but have you heard of medical identity theft? Theif uses your information to get surgery or something, and replaces all your info with his. Then you have a car accident and the folks in the ER give you a transfusion of the wrong blood. Or medicine you're allergic to. And you DIE. Seriously, I don't see what the average person can do here. Your information is just up for the taking, pretty much everywhere you've ever done business, and a few places you haven't, even.
Allison at September 21, 2007 11:27 AM
Wow...I read about that somewhere.
And my sympathies on what you've gone through.
Amy Alkon at September 21, 2007 1:49 PM
"More than 6 million customer accounts were exposed, although Ameritrade contends there has been no known identity fraud associated with the breach."
Right. Why anybody would give this merit, given the short amount of time and the care with which identity thieves work, is beyond me.
Radwaste at September 21, 2007 3:02 PM
If they haven't been open about the breach, how would anyone who's had their identity stolen connect it to them? Furthermore, I don't exactly trust their ethics. If my data is exposed, I have a right to know.
Amy Alkon at September 21, 2007 3:11 PM
I guess the only way you can connect it to any company is if the person is caught, arrested and made to name their source. I hear the odds of that are astronomical. In my case, I called all the creditors' fraud departments and all the stores where the stuff was bought, and asked for all the info I could get, some were very helpful, then used the internet to track the person down and call the PD in her town. If I hadn't done the initial work, I doubt anyone would have gone looking. Honestly, I considered buying a plane ticket and knocking on her door. But in hindsight, I don't suppose that would have gotten me anywhere but more trouble.
AS for your data safety, you could either freeze your credit, or monitor it through all three bureaus. Monitoring costs about 12 bucks a month and reps will call you within a few hours of a questionable transaction. Then you'll know you have a problem, and you can have your credit frozen for free.
I'm crapped on credit wise, I swear- my teenaged brother in law who at the time lived with us stole one of my credit cards and used it to buy gas at 3 am, which was questionable enough for the credit card reps to call me. So I got to bust him, and evict him, within four hours!
Allison at September 22, 2007 11:52 AM
This explains a lot of junk mail I was getting. I haven't gotten the letter from Scum-meritrade yet, but I'm traveling so I haven't had the chance.
Thank you for posting this one.
Shawn at September 22, 2007 12:08 PM
Leave a comment