What’s this website all about? (sticky post)

(UPDATED December, 2011) Finally, a little of TD Ameritrade’s money is going to a few of the class members it ripped off.  It’s taken 6 years to get here!  Though TD Ameritrade refuses to pass a security audit and covered up the breach, the government (in the form of the SEC and the federal judiciary), and the Financial Industry’s self-Regulatory-organization Authority (FINRA, nee NASD) have let it off with a slap on the wrist that will have no material impact on the company.  Criminals had gained ongoing access TD Ameritrade’s customer database back in October, 2005.   This database contains 6.3 million+ customers’ names, addresses, mailing addresses, email addresses, trading histories, account numbers, account balances, dates of birth – oh, and social security numbers too.  AMTD knew of, covered up, and failed to fix the problem for TWO YEARS. How do I know this?

Notes for new readers:

• If you’re new here or found this useful, or just want to offer your support, please add a comment. I will keep the comment private, if you prefer.
• This article is sticky, which means it always appears at the top. Other articles appear below this one, newest first.
• Like on many blogs, only part of each article on the site appears on the main page. (The whole article becomes viewable if you click the title.) The bulk of the article becomes viewable if you click the “(more…)” tag after reading to the end of the teaser text. Like this:

(more…)

 

New SEC guidance on Cybersecurity

The SEC has a pathetic new regulation, its first on cybersecurity.  It’s another cog in a system designed to provide the appearance of Justice without actually meting it out to the very powerful or wealthy.  The SEC refused to act on warnings about the TD Ameritrade breach, the Madoff scam, and is poised to … continue to do more of the same…

(more…)

 

Settlement won final approval.

How do I feel?

I feel like the justice system has let me down, like the Wall Street protesters who, e.g. want to see the executives of my former employer who lied to congress at least get arrested.

TD Ameritrade (TDA) has refused to pass a security audit, and the attorneys supposedly representing the class are OK with that. If TDA had secured their customer data properly, they would, most certainly, be eager to show their customers and target market.

My friends and I are angry that TDA’s security is still Swiss cheese. Earlier this year, they accidentally admitted that they didn’t even have an IDS or IPS system in place! I hear they still don’t encrypt customer data and still grant staff far more customer data access than is needed to do their jobs. They’re in violation of Massachusetts law. They’re literally making millions serving customers over the Internet that they wouldn’t make without the Internet, but not taking the small steps necessary to protect those customers. They spent millions on attorneys (at one judge-managed mediation session, there were ~30 attorneys present.) Instead of covering up their mistakes, they should be doing the right thing.

They profit off the Internet, but won’t invest in it! Their databases are an open book to gangs and even determined high-school students. They should be hiring and training their staff and deploying resources so that they can pass a security audit. They’ll get hacked again. And when they do, they’ll be back in court. And this warning, which I delivered in court, will haunt them.

The Armstrong court cherry picked which objections in my final filing to address and which to ignore.  The court demonstrated that it doesn’t even understand the 9th District’s own General Order (regarding PDFs) because it’s too technical!  (Even though it’s quite simple.)  There’s no way it understood all the key technical security issues in this case.

There’s been a news blackout with respect to the fact that TD Ameritrade actively covered up the security breach, as the whistleblower-sourced information I’ve published here details.

I’m glad that TD Ameritrade has at least received some bad press for its disgraceful behavior, and that those who filed claims are expected to receive significant compensation.  I’m glad that the bulk of the class is at least somewhat aware of the breach.  Unfortunately, the insignificant cost of this settlement sends the message that executives who underfund the Information Security department and direct the cover-up of a security breach breach are making the right choices, as far as the financial interests of shareholders go.  TDA would need to spend more than it spent settling this case to shore up its security enough to pass a proper audit.

 

Internet still plagued by insecure updates. Hall of shame: elvey.com/insecure

I’m sick and tired of having essentially no choice but to intentionally expose my computer to attack and root compromise by any resourceful and motivated adversary.  It’s time to do more about it.  COMING SOON:  elvey.com/insecure

 

Should I sue…? TD Ameritrade vaults are still wide open.

Should I sue the makers of this film for copyright infringement?

I’m joking, of course, in case that wasn’t obvious.  However, this film does a damn good job portraying what the InfoSec department at TD Ameritrade was (and, unfortunately, still is) like.  Counsel recently informed me, probably not realizing the foolishness it exposed, that TD Ameritrade DID NOT HAVE AN INTRUSION DETECTION SYSTEM(IDS) (or an Intrusion Protection System (IPS)) in place!

Watch it. (just Episode 1! It’s just 4 minutes.  Definitely skip Episode 2. Episode 3 is weak too.)

And no, I’m not endorsing AppSec or DBPROTECT.

 

SEC Filings – 10-Q, etc.

Note the underlined bits.  Note the choice of words used.  Spam, instead of Security Breach.  ”Other personal information”, instead of “including Social Security Numbers, Account Balances, Home Addresses and Phone Numbers” or better yet, the – still undisclosed – complete actual list of the data fields in the compromised database.

I’ve been following TD Ameritrads’s SEC Filings – 10-Q’s, etc.

In one 10-Q, I find this note about the case; similar notes are in other 10-Q’s:

Spam Litigation – A purported class action, captioned Elvey v. TD Ameritrade, Inc., was filed on May 31, 2007 in the United States District Court for the Northern District of California. The complaint alleges that there was a breach in TDA Inc.’s systems, which allowed access to e-mail addresses and other personal information of account holders, and that as a result account holders received unsolicited e-mail from spammers promoting certain stocks and have been subjected to an increased risk of identity theft. The complaint requests unspecified damages and injunctive and other equitable relief. A second lawsuit, captioned Zigler v. TD Ameritrade, Inc., was filed on September 26, 2007, in the same jurisdiction on behalf of a purported nationwide class of account holders. The factual allegations of the complaint and the relief sought are substantially the same as those in the first lawsuit. The cases were consolidated under the caption In re TD Ameritrade Accountholders Litigation. The Company hired an independent consultant to investigate whether identity theft occurred as a result of the breach. The consultant has conducted four investigations since August 2007 and reported that it found no evidence of identity theft. The parties entered into an agreement to settle the lawsuits on a class basis subject to court approval. On May 1, 2009, the Court granted preliminary approval of the proposed settlement, which had been revised, and set a hearing on final approval for September 10, 2009. Some class members have filed objections and opt-outs. The settlement is not expected to have a material effect on the Company’s financial condition, results of operations or cash flows.

 

Settlement Claims Administrator Rosenthal & Co. (part of Computershare) LIES about terms!?! Object to the Settlement? Deadlines! Final Approval Hearing! Claim Forms!

I called the Claims Administrator yesterday, at 1-888-749-8173. The firm is well known in its field: Rosenthal & Co, which part of Computershare.  What a fiasco!

Warning: DO NOT USE the information (more…)

 

Third Proposed Settlement up for Preliminary Approval. I oppose. (Modified 1/1/11, 1/25/11)

NEW: You can review and comment on the key documents, which I’ve posted in editable wiki form at http://caringaboutsecurity.wikispaces.com! Cool, huh?(I’ve not posted the less important documents to the wiki. Just exhibits A, F, and G for now.) Please take a look and provide feedback. 

On December 9, 2010, I filed and argued in court against the motion for preliminary approval:

Elvey_Response_to_Kreinder-TDA_offer.pdf describing our concerns.  I’d highlight them thusly:  We pushed for an effective audit.   This settlement proposal notice is misleading and poorly publicized, and so cannot be fair.  It has an audit component that to the untrained or hasty eye is meaningful compensation, but (more…)

 

Audit

Judge Walker has said that the audit component primarily benefits TD Ameritrade, not the class.  Here’s why I think a good audit component substantially benefits the class.  (more…)

 

We won! Chief Judge Vaughn Walker throws out bogus identity theft settlement, KamberEdelson firm. CMC December 10th

The proposed settlement has been thrown out!

What did I think of the decision?

What do I want to see happen?

The media is asleep on the job?

(more…)

 

Final Approval Hearing! 10 AM {sic} September 10th in Courtroom 6, 17th Floor, 450 Golden Gate in San Francisco.

THE SNOWJOB TD Ameritrade’s PR goons pulled is unraveling.  UCAN’s Privacy Rights clearinghouse run by Beth Givens has corrected its database entry for the breach.  Attrition.org/datalossdb.org  have corrected their entry.  Both now indicate that social security numbers were compromised.

Today is the hearing on approval of the settlement -  at 10 AM (September 10th) in Courtroom 6, 17th Floor, 450 Golden Gate in San Francisco. Wish me and my Allied Forces luck.   I expect several parties will/won’t speak: (more…)

 

Acknowledgements

Thank Yous are due to many folks who helped me in this mission. (more…)