Read of my efforts to be an exemplary class rep. in the Elvey v. TD Ameritrade pump-n-dump spam and Identity Theft litigation. (I discovered the information security breach by which the Social Security Numbers of all 6.3 million+ AMTD customers were compromised and proved that known criminals had gained access to the database they were in. )

(UPDATED December, 2011) Finally, a little of TD Ameritrade’s money is going to a few of the class members it ripped off.  It’s taken 6 years to get here!  Though TD Ameritrade refuses to pass a security audit and covered up the breach, the government (in the form of the SEC and the federal judiciary), and the Financial Industry’s self-Regulatory-organization Authority (FINRA, nee NASD) have let it off with a ‘slap on the wrist’ that will have no material impact on the company. I guesstimate the  ‘slap on the wrist’ was over $40 million:$6.5 million for the settlement, plus the cost of my attorneys, their attorneys, printing, stuffing and mailing over 12 million letters, litigation costs (flying dozens of attorneys to San Francisco), increased insurance costs, loss of business, etc.)   Criminals had gained ongoing access to TD Ameritrade’s customer database back in October, 2005.   This database contains 6.3 million+ customers’ names, addresses, mailing addresses, email addresses, trading histories, account numbers, account balances, dates of birth – oh, and social security numbers too.  AMTD knew of, covered up, and failed to fix the problem for TWO YEARS. How do I know this?

Notes for new readers:

  • If you’re new here or found this useful, or just want to offer your support or feedback, please add a comment. I will keep the comment private, if you prefer. (Oops; they were turned off.  On now. Moderation is on.)
  • This article is sticky, which means it always appears at the top. Other articles appear below this one, newest first.
  • The blog may be easiest to follow if you start with the oldest post first.  Just scroll down and start there.
  • Like on many blogs, only part of each article on the site appears on the main page. (The whole article becomes viewable if you click the title.) The bulk of the article becomes viewable if you click the “(more…)” tag after reading to the end of the teaser text. Like this:

(more…)

Advertisement

by

When Denise Williams’ baby boy was 2 months old, she became alarmed by a rattling sound in his lungs and took him to the emergency room. While undergoing treatment, he spiraled into a disabling neurological disorder.

Now 2 years old, Markeano is attached to breathing and feeding tubes. He can’t walk or move his arms.

“If I want him to sit up, I have to sit him up. If I want him to play with a car, I’ve got to put his hand on the car and move it back and forth,” said Williams, 38, who lives with Markeano, her four other children and her husband, Marcus, in Adelanto, a small city in the High Desert region of San Bernardino County.

Markeano is enrolled in the Inland Empire Health Plan, a county-run managed-care insurer that provides coverage under Medi-Cal, California’s version of the federal Medicaid program for people with low incomes or disabilities. He also receives care through California Children’s Services, which covers kids with serious conditions.

But Williams still finds it difficult to get her son the specialized care he needs. What’s worse, neither his insurers nor his doctors take responsibility for managing his care, she said. “No one coordinates the care except for me.”

Poor care coordination is one of the many shortcomings of Medi-Cal, which covers over a third of the state’s population and nearly 40% of children under 18. Advocates, patients and even the state auditor say Medi-Cal has failed to hold accountable the managed-care health plans that cover almost 12 million of its nearly 14 million enrollees.

To remedy these failings, the state has begun an ambitious contracting process that aims to commit the health plans to better service. The state’s exact strategy is unclear. But it is expected to result in new rules for Medi-Cal managed care. The nine commercial insurers, including giants Health Net, Anthem Blue Cross, and Blue Shield of California, will have to bid for new contracts intended to set more rigorous care standards. While their members account for fewer than one-third of managed-care enrollees, the companies have made nearly $3 billion from Medi-Cal since 2014.

Non-commercial plans like the Inland Empire Health Plan, which are established by county authorities, won’t have to submit bids, but they will be required to sign the new contracts.

“The state has had a lot of difficulty — because of skill and will — in managing and enforcing the terms of its existing contracts,” said Alex Briscoe, head of the California Children’s Trust and former director of Alameda County’s Health Care Services Agency. “This represents an opportunity not only to redesign the contracts but also to reimagine the state’s role in enforcing them.”

It’s also an opportunity for the state to make a statement in selecting plans.

“Some are doing worse than others, and that should be taken into account in terms of decisions as the plans bid,” said Edwin Park, a California-based research professor at the Georgetown University Center for Children and Families.

Jacey Cooper, California’s Medicaid director, said the state’s focus will be assuring that plans provide access to care and are committed to improving the outcomes of Medi-Cal beneficiaries.

The recontracting process is intertwined with an ambitious $6 billion experiment to move Medi-Cal beyond medicine into the realm of social services.

‘Deficient Oversight’

Data shows that Medi-Cal plans are failing enrollees in many ways. Patients often have long waits or travel times for medical appointments, and get fragmented services and poor information about their care. Some communities of color, as well as rural residents, receive lower-quality service than others.

Faulty treatment hits the 4.6 million kids in managed-care Medi-Cal particularly hard because children need a lot of routine care, and many are not getting it. In July, close to 500 advocacy and provider groups sent a letter to the Department of Health Care Services, which runs Medi-Cal, urging it to make the managed-care plans improve pediatric care. “The deficiencies in the Medi-Cal managed care program contribute to health disparities for children across the state that can last a lifetime,” they wrote. The new contracts, the letter said, should require health plans to fix the problem.

Federal law provides significant protection for all children in Medi-Cal and other state Medicaid programs. It requires coverage for regular checkups, immunizations, and other preventive and diagnostic care.

But state data shows that Medi-Cal managed-care plans often fail to meet these requirements. Only about one-quarter of infants and toddlers in Medi-Cal get the recommended number of well-child visits and screenings for developmental delays. The plans fall short on immunizations as well.

A 2019 report by the California State Auditor ranked California 40th among state Medicaid programs in use of preventive services by children.

The report blamed the state’s poor performance on “deficient oversight of the managed care plans” and an insufficient number of health care providers willing to accept Medi-Cal’s low payment rates.

“I don’t see how we can have a high-performing Medi-Cal system that doesn’t do well on those basic services for kids,” said Mike Odeh, health policy director at Children Now, an Oakland-based advocacy group.

To be fair, Medi-Cal has had its share of successes, too, including early and robust expansion of enrollment under the Affordable Care Act, extension of coverage to large numbers of immigrants without legal documents, and pioneering programs that address not only medical and mental health but also the social and environmental circumstances of enrollees.

Nonetheless, Medi-Cal managed-care plans often earn poor to mediocre marks for the quality of their care. Meanwhile, the largest commercial plans have profited handsomely from the program, especially since the expansion of Medicaid in 2014. That helps explain why the rebidding process is such a sensitive matter for them. Health Net, Anthem Blue Cross, Molina Healthcare and Blue Shield of California all declined to discuss their bidding strategies with KHN.

Collectively, the commercial plans have generated $2.9 billion in net profits from Medi-Cal since fiscal year 2014, according to data provided by the state. Health Net, the state’s largest commercial Medi-Cal insurer, with around 2 million enrollees, accounted for $2.1 billion of that amount. Anthem Blue Cross, the second-largest commercial Medi-Cal plan, with 1.3 million enrollees, accounted for $873 million.

An Anthem Blue Cross spokesperson noted that Medi-Cal managed-care plans are required by law to spend at least 85 cents of every dollar on medical care or efforts to improve care. That, along with other factors, limits the health plans’ profits, he said.

Kaiser Permanente, which is at or near the top of Medi-Cal quality scores, has lost money in the program every year since 2014 — and before that, too.

Health Net and Anthem Blue Cross get poor to mediocre marks on key pediatric services in many counties, according to state data. Health Net Medi-Cal plans in Sacramento, Kern, Stanislaus and San Diego counties, for example, were at or near the bottom of the pack in timeliness of pediatric appointments.

A Health Net spokesperson said the company has improved over the past two years and now outperforms its competitors on state quality indicators in nine of the 13 counties where it operates.

The 2019 state audit, citing earlier concerns about incomplete and inaccurate reporting, noted that the integrity of the state’s quality data can be hard to assess.

And non-commercial plans often have low scores, too. “Quality is stubbornly low across all plans in Medi-Cal. Nobody gets a pass here,” said Cary Sanders, senior policy director at the California Pan-Ethnic Health Network.

The state rarely holds any of the plans fully to account, advocates and Medi-Cal experts say. The Department of Health Care Services started imposing financial penalties for poor quality only in 2017, and since then it has levied only two such fines: one against Health Net for $335,000 and one against the publicly run Health Plan of San Joaquin for $135,000.

The department does require subpar performers to devise so-called corrective action plans, but critics say they rarely produce significant improvement.

Even if enforcement were effective, the standards for Medi-Cal plans are too low, advocates say. Until 2019, insurers needed to be only in the 25th percentile of Medicaid plans nationally to avoid corrective action. The department raised the bar to the 50th percentile in 2019 but has not enforced it so far because of the covid-19 pandemic.

The department next year will begin penalizing any health plan that “fails to exceed, rather than just meet” the minimum performance level on any measure, said Cooper, the state’s Medicaid chief. It will do so every year, rather than target only persistently poor performers, she said.

Pay for Performance

In June, the Department of Health Care Services released preliminary details on the bidding process, outlining some of the new requirements. It expects to issue more details by year’s end but won’t announce plan selections until the end of 2022. The new contracts are slated to take effect Jan. 1, 2024.

But will the state lean hard enough on the plans? Based on the documents released so far, this could be a “potential missed opportunity,” said Sanders. “There aren’t enough teeth here to improve health plan accountability.”

Other advocates cite what they say has been a cozy relationship between health plans and the state. “I just think the whole delivery system has historically been filled with a lot of politics, favoritism, good old boys,” said Isabel Becerra, CEO of the Coalition of Orange County Community Health Centers, whose members provide Medi-Cal services in the county.

Some advocates and analysts say the best way for the state to hold the managed-care plans’ feet to the fire is to tie the fixed monthly rates it pays them to their performance on a number of measures, including preventive services and health equity.

“If you want to change how they work, you have to change the incentives that drive them,” said Briscoe, of the California Children’s Trust.

Medicaid chief Cooper said her staff is working to link payment to quality and health equity.

Some advocates say the state should withhold payments from poorly performing plans. The plans, however, would prefer being rewarded for exceeding expectations to being dinged for failing to meet them.

A Communication Breakdown

The rebidding process is expected to reduce the number of insurance companies participating in Medi-Cal — and some experts say that’s a good thing.

“The idea of competition is you’re supposed to be competing on the basis of quality, but if there are too many choices beneficiaries aren’t able to discern the differences,” said Georgetown University’s Park.

In some regions, the Medi-Cal health plans that contract directly with the state outsource care and administrative tasks to other plans or physician groups. L.A. Care, for example, farms out enrollees to subcontractors such as Kaiser Permanente, Anthem Blue Cross and Blue Shield of California. The Department of Health Care Services says that in evaluating the bids it will look favorably on health plans that commit to keeping closer tabs on their subcontractors.

The state reports quality scores only for plans with which it contracts directly, and their data can be skewed by wide variation in the performance of the subcontractors.

Moreover, the divided responsibility between health plans and their subcontractors can confuse beneficiaries.

“The subcontractor says, ‘No, call the plan’ — and the plan says, ‘Call the subcontractor,’ and there’s really no accountability,” said Abigail Coursolle, a senior attorney at the National Health Law Program in Los Angeles.

Denise Williams faces a similar problem. She said the Inland Empire Health Plan does not communicate effectively — or at all — with California Children’s Services or Markeano’s doctors. As a result, she is saddled with hours of legwork to find care for her son, whether speech, swallowing and cognitive therapy or extra oxygen tanks to make sure he doesn’t run out during long car trips to see his doctors.

“They tell me, ‘Your pediatrician or neurologist should be doing this.’ Then when I talk to the pediatrician and the neurologist, they say, ‘Talk to your insurance,’” Williams said. “So it’s like, ‘I already talked to you guys. Can’t you guys talk to each other — or can we get on a three-way? Because this is draining. I’ve got a kid that I need to take care of.’”

Inland Empire Health acknowledged the gaps in coordination among managed-care plans, California Children’s Services and providers, saying it was “eager to embrace the care coordination improvements” that the state says it will require. The new contracts also will require plans to address some of the nonmedical problems that can compromise health, such as inadequate housing, unclean air and water, and food insecurity.

In addition to being predominantly poor, over two-thirds of Medi-Cal enrollees are from non-white communities that have historically been socially and economically marginalized — which is why the state says it will put a high priority on reducing health care inequities.

Denise Williams, who is Black, wonders if her travails are related to long-standing inequities.

“Sometimes I don’t know if it’s because of my color or what,” she said. “I try to remain calm at all times, so that way it’s not a stereotype of an angry Black lady or whatever. But at the same time, I’m my kid’s only advocate, so if I never say nothing, my kid would just be lying in the bed all day.”

California Healthline correspondent Angela Hart contributed to this report.

KHN (Kaiser Health News) is a national newsroom that produces in-depth journalism about health issues. Together with Policy Analysis and Polling, KHN is one of the three major operating programs at KFF (Kaiser Family Foundation). KFF is an endowed nonprofit organization providing information on health issues to the nation.

Subscribe to KHN’s free Morning Briefing.

Apologies for the ads that WordPress puts here; I don’t make money of them off of them. Any income they generate goes directly to WordPress. I don’t see it and besides, WordPress is a pretty cool company, actually.

These coordinates mean ‘unknown’ and are equivalent to 123 Anywhere St, AnyCity ST 12345, USA.  (Though they happen to specify an actual place, it’s in the middle of a lake.)

Proof:
This google search : https://www.google.com/search?q=site:ipaddress.com+37.7510 shows the Latitude coordinate appears around 4 hundred thousand times on just one site.  (About 398,000 results.)

And the full Latitude – Longitude also appears around 400,000 times on just that one site per https://www.google.com/search?q=site:ipaddress.com+37.7510+97.8220!

(Kinda OT for this blog, but not entirely.). Purpose: save others time. And maybe they’ll stay and learn about the amazing bank-security/court scandal documented here

The datalossdb.org folks finally approved my reply to their reporting on my case, which has been in their moderation queue for 2 and a half years!  (And had been posted here at : https://caringaboutsecurity.wordpress.com/2016/05/06/looking-back/ .)  Apparently, their WordPress installation wasn’t working, and their project is in hibernation mode.

DataLossDB

The TD Ameritrade incident of 2007 hasn’t quite been resolved — yet. While the breach may have been contained, the litigation is still ongoing. A class action suit field in California in May of 2007 has reached a preliminary settlement, but the settlement is contested by the individual who filed the class in the first place and has been through some extremely interesting twists and turns.

The case was filed in May of 2007, with a complaint that claimed that TD Ameritrade was essentially selling email addresses of clients to spammers, in violation of TD Ameritrade’s privacy policies and various laws.

A motion for a preliminary injunction kicked things into gear in July 2007, which alleged that the spam was still ongoing, and demanded that TD Ameritrade take steps to protect members of the class (TD Ameritrade customers). The fact that the incident was still ongoing at the time of…

View original post 2,196 more words

This is a response to DataLossDB blog post Legal Sub-Project – Elvey v. TD Ameritrade by jkouns on June 14, 2009

You ask some tough questions, and I have answers!  This is Elvey.  I filed the case. I was not aware of this post ’till now and want to belatedly direct any potential readers to some information that should further inform, as well as correct some inaccuracies.

I greatly appreciate your coverage of the case and particularly your highlighting and clear explanation of some of the key details that others have glossed over, like detailing the lack of substantial improvements in the new settlement, the far-fetched reasons for sealing the deposition (even from my own eyes!), and especially your picking apart the ridiculousness of the whole ‘presumption that since no evidence of “organized misuse” exists, Social Security numbers had not been compromised.’ concept.

I want to emphasize that my initial case filing alleged a “classic pump-and-dump scheme”, with a definition, references and strong evidence that the scheme benefited TD Ameritrade, not mere garden variety spamming.

What brought the compromise of Social Security numbers to light was the injunction I filed that forced TD Ameritrade to disclose it, not the suit Zigler filed.  (By the way, Zigler was someone I found. Zigler was a victim of the breach and my attorneys and I reached out to him and he joined my case very early on.  (The initial case caption is “[Me] and GADGETWIZ, INC., an Arizona corporation [owned by Brad Zigler], on their own behalf and on behalf of all others similarly situated,Plaintiffs v. TD AMERITRADE…”)) Over a year later, the firm of Scott Kamber, the crooked attorney who flew to San Francisco to arrive at my home unannounced to back the threats he had made on the phone and via email after I balked at the shitty settlement terms he negotiated, filed the Brad Zigler v. TD Ameritrade case. Some of the threats are described and quoted in a court filing and this blog post; links to the former, document Dkt 175.  I stand by the accuracy of the quotes in that filing. Do they not convince you that Kamber’s claim that  “Never was Mr. Elvey threatened or even pressured in any manner.” is a lie?  I think the Trial Lawyers closed ranks to protect one of their own, instead of rooting out the documented threat or the corruption that motivated it. Despite strong pressure and direct legal advice to keep quiet about the threats, I refuse to back down.

You claim /ask: “Why did Elvey approve the settlement in the first place?”  But as I noted on my blog in the post linked to above, “KamberEdelson filed document Dkt 53-2 with the court (the first proposed settlement), to my case’s docket, which shows my signature on a signature page I signed (i.e. it is my signature) but it’s been placed into a document I did not sign.”

What I haven’t thought to made public ’till now is some further evidence to back that up:

On Thursday, May 22, 2008, I emailed the court of Judge Vaughn Walker directly:

“I’m just following up on an urgent message I left with VRW’s
docket clerk and discussion with his court deputy.

Please do not accept any settlement agreement my attorneys file
that purports to contain my signature or assent to a settlement
without verifying that signature or assent with me directly.  You
should expect any documents that purport to have my signature to
be digitally signed (e.g. like this email – with a with an S/MIME
or PGP/GPG key).

I’d be happy to explain further in court; I’d explain here but I
have been told that I shouldn’t; it might be inappropriate ex
parte communication.

-Matthew Elvey, Plaintiff.”

Once presented with the surprising, horrible settlement draft  and threatened, I had begun figuring out what to do, begun searching for alternate counsel to represent the class and anticipated the filing that was made days later.  I’d been assured TD Ameritrade had agreed that the settlement would include passage of real (internal) security audits, no release of liability for ID theft, and a substantial breach-fighting non-profit (like the OSF) donation component, but it didn’t!

I hope that answers your question: “Why did Elvey approve the settlement in the first place?”  Clear?

You ask, “Is TD Ameritrade not already required by industry standards like PCI, or better yet, its own internal security policies to do so?” I answered that in this old blog post.

I’m generally very skeptical and a Yale-educated scientist – not one to believe conspiracy theories.  I see conclusive evidence of corruption by key parties this case. That, plus strong but not conclusive evidence has me convinced that there’s also corruption behind other odd decisions in the case that you mention, like support for and approval of the slightly improved settlement version that as you say, “substantively didn’t really alter much”.

Judge Walker repeatedly asked the former class counsel to place a value on the benefits the rejected settlement offered to the class. I think it’s doable, and no one has truly done so, so I’m going to give it a shot.

  • The audit component does not require TD Ameritrade to fix the problems found, and mainly benefits the firm, not its clients, so I give it a value of $50.  Weekly penetration testing can be ordered for about $100/per YEAR, so this is generous. I discussed this in more detail in my CMC statement (see page 10 of that document) and in a forthcoming (currently private) blog post dedicated to this component.
  • Regarding the software offered in the rejected settlement: TD Ameritrade defied the judge’s order; they never plainly stated how much they had or would pay for the software.  Though I was given an approximation, I can’t disclose it, and have little faith in the source or the number (and no, it’s not from a whistleblower).  I feel the software component should be valued based upon actual redemption rates, as tracked by proof of payments received for the software by the software firms from TD Ameritrade after the final settlement date. For each class member who downloads (and if activation is required, activates) the software, the value should be $5 (This is five times the amount the firm has implicitly represented as the cost.) If the Trend Micro or other software comes with the standard 3-year, 3-computer license, then its valuation should be trebled.  Postscript: it seems I was right to not trust the source for the approximation; I was told TD Ameritrade had already paid or committed to pay a certain amount the software.  If that was true, they wouldn’t have removed it from the settlement agreement, as it was a sunk cost, even if its value was being discounted by the court, it certainly still had some value. 

KamberEdelson/KamberLaw/Edelson McGuire law firm/attorney compensation, if any should be based not upon the rates they proffered the court, but rather upon the hourly rates at which the firm agreed to represent the class, as recorded in the contract signed May 14, 2007, of $500 (Scott Kamber and Alan Himmelfarb), and $335 (Ethan Preston and Dana Rubin), and an appropriate multiplier, and on the value of the settlement, and factoring the quality of the representation – which led to another firm, Kreindler and Kreindler stepping in as lead plaintiff’s counsel.

The SEC has a pathetic new regulation, its first on cybersecurity.  It’s another cog in a system designed to provide the appearance of Justice without actually meting it out to the very powerful or wealthy.  The SEC refused to act on warnings about the TD Ameritrade breach, the Madoff scam, and is poised to … continue to do more of the same…

How do I feel?

I feel like the justice system has let me down, like the Wall Street protesters who, e.g. want to see the executives of my former employer who lied to congress at least get arrested.

TD Ameritrade (TDA) has refused to pass a security audit, and the attorneys supposedly representing the class are OK with that. If TDA had secured their customer data properly, they would, most certainly, be eager to show their customers and target market.

My friends and I are angry that TDA’s security is still Swiss cheese. Earlier this year, they accidentally admitted that they didn’t even have an IDS or IPS system in place! I hear they still don’t encrypt customer data and still grant staff far more customer data access than is needed to do their jobs. They’re in violation of Massachusetts law. They’re literally making millions serving customers over the Internet that they wouldn’t make without the Internet, but not taking the small steps necessary to protect those customers. They spent millions on attorneys (at one judge-managed mediation session, there were ~30 attorneys present.) Instead of covering up their mistakes, they should be doing the right thing.

They profit off the Internet, but won’t invest in it! Their databases are an open book to gangs and even determined high-school students. They should be hiring and training their staff and deploying resources so that they can pass a security audit. They’ll get hacked again. And when they do, they’ll be back in court. And this warning, which I delivered in court, will haunt them.

The Armstrong court cherry picked which objections in my final filing to address and which to ignore.  The court demonstrated that it doesn’t even understand the 9th District’s own General Order (regarding PDFs) because it’s too technical!  (Even though it’s quite simple.)  There’s no way it understood all the key technical security issues in this case.

There’s been a news blackout with respect to the fact that TD Ameritrade actively covered up the security breach, as the whistleblower-sourced information I’ve published here details.

I’m glad that TD Ameritrade has at least received some bad press for its disgraceful behavior, and that those who filed claims are expected to receive significant compensation.  I’m glad that the bulk of the class is at least somewhat aware of the breach.  Unfortunately, the insignificant cost of this settlement sends the message that executives who underfund the Information Security department and direct the cover-up of a security breach breach are making the right choices, as far as the financial interests of shareholders go.  TDA would need to spend more than it spent settling this case to shore up its security enough to pass a proper audit.

I’m sick and tired of having essentially no choice but to intentionally expose my computer to attack and root compromise by any resourceful and motivated adversary.  It’s time to do more about it.  COMING SOON:  elvey.com/insecure

Should I sue the makers of this film for copyright infringement?

I’m joking, of course, in case that wasn’t obvious.  However, this film does a damn good job portraying what the InfoSec department at TD Ameritrade was (and, unfortunately, still is) like.  Counsel recently informed me, probably not realizing the foolishness it exposed, that TD Ameritrade DID NOT HAVE AN INTRUSION DETECTION SYSTEM(IDS) (or an Intrusion Protection System (IPS)) in place!

Watch it. (just Episode 1! It’s just 4 minutes.  Definitely skip Episode 2. Episode 3 is weak too.)

And no, I’m not endorsing AppSec or DBPROTECT.

Note the underlined bits.  Note the choice of words used.  Spam, instead of Security Breach.  “Other personal information”, instead of “including Social Security Numbers, Account Balances, Home Addresses and Phone Numbers” or better yet, the – still undisclosed – complete actual list of the data fields in the compromised database.
I’ve been following TD Ameritrads’s SEC Filings – 10-Q’s, etc.
In one 10-Q, I find this note about the case; similar notes are in other 10-Q’s:
Spam Litigation – A purported class action, captioned Elvey v. TD Ameritrade, Inc., was filed on May 31, 2007 in the United States District Court for the Northern District of California. The complaint alleges that there was a breach in TDA Inc.’s systems, which allowed access to e-mail addresses and other personal information of account holders, and that as a result account holders received unsolicited e-mail from spammers promoting certain stocks and have been subjected to an increased risk of identity theft. The complaint requests unspecified damages and injunctive and other equitable relief. A second lawsuit, captioned Zigler v. TD Ameritrade, Inc., was filed on September 26, 2007, in the same jurisdiction on behalf of a purported nationwide class of account holders. The factual allegations of the complaint and the relief sought are substantially the same as those in the first lawsuit. The cases were consolidated under the caption In re TD Ameritrade Accountholders Litigation. The Company hired an independent consultant to investigate whether identity theft occurred as a result of the breach. The consultant has conducted four investigations since August 2007 and reported that it found no evidence of identity theft. The parties entered into an agreement to settle the lawsuits on a class basis subject to court approval. On May 1, 2009, the Court granted preliminary approval of the proposed settlement, which had been revised, and set a hearing on final approval for September 10, 2009. Some class members have filed objections and opt-outs. The settlement is not expected to have a material effect on the Company’s financial condition, results of operations or cash flows.

I will make them talk. A, B, C, and D (not their real names) are all current or former members of TD Ameritrade’s InfoSec group.

Over a month ago, I filed and served a legal subpoena for their emails about the breach.  I also subpoenaed all the reports by internal staff and involved outside firms, which include ID Analytics, Mandiant and Protiviti, regarding the breach, which I understand will cover at least five security audits related to investigating the breach.

But TD Ameritrade has refused to honor the subpoena – AT ALL.

The other things I subpoenaed were:

C) A copy of the circa September 18, 2007 deposition of the former TD Ameritrade CSO (Chief Security Officer) regarding this breach.

D) TD Ameritrade stated on September 15, 2008, “We know specifically when the breaches began.” We request a copy of a document disclosing that date.

E) A copy of each Letter to the Audit Committee and Letter to the Audit Committee Chairman from the company’s auditors from 2005 to 2010, inclusive. Discusson of deficiencies that could have no impact on customers could be redacted.

I called the Claims Administrator yesterday, at 1-888-749-8173. The firm is well known in its field: Rosenthal & Co, which part of Computershare.  What a fiasco!

WarningDO NOT USE the information (more…)

NEW: You can review and comment on the key documents, which I’ve posted in editable wiki form at http://caringaboutsecurity.wikispaces.com! Cool, huh?(I’ve not posted the less important documents to the wiki. Just exhibits A, F, and G for now.) Please take a look and provide feedback. Smile

On December 9, 2010, I filed and argued in court against the motion for preliminary approval:

Elvey_Response_to_Kreinder-TDA_offer.pdf describing our concerns.  I’d highlight them thusly:  We pushed for an effective audit.   This settlement proposal notice is misleading and poorly publicized, and so cannot be fair.  It has an audit component that to the untrained or hasty eye is meaningful compensation, but (more…)

AVPageView-05042011-100856.bmp

An actual HMG IS2 Full Accreditation Statement based on an actual ITSHC – an actual security audit by Deloitte, one of the Big Four audit firms – which demonstrates the auditor’s reputation has been put on the line, as well as the legal liability shouldered by such an audit.
Author: George McLeod, National Accreditation Manager, NPIA

Judge Walker has said that the audit component primarily benefits TD Ameritrade, not the class.  Here’s why I think a good audit component substantially benefits the class.  (more…)

The proposed settlement has been thrown out!

What did I think of the decision?

What do I want to see happen?

The media is asleep on the job?

(more…)

THE SNOWJOB TD Ameritrade’s PR goons pulled is unraveling.  UCAN’s Privacy Rights clearinghouse run by Beth Givens has corrected its database entry for the breach.  Attrition.org/datalossdb.org  have corrected their entry.  Both now indicate that social security numbers were compromised.

Today is the hearing on approval of the settlement –  at 10 AM (September 10th) in Courtroom 6, 17th Floor, 450 Golden Gate in San Francisco. Wish me and my Allied Forces luck.   I expect several parties will/won’t speak: (more…)

Ted Frank writes here that

To date, there is no evidence that the spam was connected to Ameritrade, or that a breach of Ameritrade data security that released home addresses for its customers has resulted in any harm, despite Ameritrade seeding databases with dummy spam-catcher e-mail addresses, and multiple analyses of whether identity theft had occurred.

Wow.  Is this guy actually too stupid to be allowed near a computer keyboard, or is he just trying to spin things in the usual AEI way?  This guy has an impressive reality distortion field around his head.  This is totally contradicted by the complaint, and supported by the evidence filed in the case. There is, the complaint explains, ironclad proof from a large number of computer gurus that the spam was connected to TD Ameritrade, namely that the spam was sent to unique email addresses stolen from a core TD Ameritrade customer database.  A database which TD Ameritrade has admitted got broken into and plundered.  That it admitted contained the names, addresses, social security numbers, dates of birth, and account balances of its 6.3 million customers.  But Ted Frank’s ostrich-style thinking is like that of TD Ameritrade a firm that is claiming that it’s plausible that crooks breaking into the equivalent of Fort Knox would leave the gold (the Social Security Numbers) and just take the silver (the email addresses).  That a rash of Identity Theft that began right after the breach was discovered does not constitute evidence connecting the two.

STOP znw-5#%—NO CARRIER
ABORT: -PEBCAK

Thank Yous are due to many folks who helped me in this mission. (more…)

If you have a TD Ameritrade account and use M$ Windows, you should read this Washington Post article.  Kudos to Brian Krebs; he is doing truly excellent work!

I hope to be seeking new counsel soon (i.e. new lawyers to represent me AND the class on a contingency basis). (more…)

I don’t understand why Scott Kamber, Bob Kris, and the rest at KamberEdelson and TD Ameritrade persist in attacking me, as they spent much time doing at the 9/15/08 hearing.   Their attacks to date have consisted of claims that not only are not backed up by evidence, they are actually refuted by it.

Surely, they’re too smart to not realize that persuasion only goes so far in the face of cold hard evidence. (more…)

Much is on the record now.  I just filed this brief and this declaration with the court, prepared by my new counsel.

We shred the proposed settlement.  We mention (more…)

SeekingFOUND: Heroic Whistleblower

Update (May ’10): Since early ’09, I’ve been receiving information that answers many questions about the breach.  Since notified of the breach in October ’05, TD Ameritrade launched 4 related investigations.  I know who ran each one and the detailed findings, if they come to light, will be very embarrassing to those who performed them.  All of them were apparently designed to not find anything and provide plausible deniability.  The Information Security department appeared to have ‘successfullyfailed to find what many of their customers, including several prominent ones, knew: someone was stealing massive amounts of customer PII from their computer systems.  But increasing pressure due to my lawsuit led to a fifth investigation, which found evidence of the problem.  Later investigations were also apparently designed to – and ‘successfully’ failed to – find evidence of massive identity theft due to stolen Social Security Numbers.  Those who were instrumental in these ‘successes’ were rewarded handsomely, while those who found evidence of the breach were punished severely.  I’ve updated this post to publicly provide a bit more information from the whistleblower than what I had previously disclosed.

Help!  I’m hoping a whistleblower will step up to provide additional info regarding the extent of the TD Ameritrade breach. (more…)

This IS a good piece of software.

I’ve used it, and found it was roughly comparable to similar suites from the big guys: Norton/Symantec and McAffee. (Like all of them, it will cause problems on some PCs.)

However, as a component of the settlement there are significant issues: (more…)

Welcome to Trials and Tribulations, a.k.a. caringaboutsecurity.wordpress.com, a.k.a. AMTD.elvey.com.

I’ve finally (belatedly!) started a blog where I can post about my case.  I want a place where I can say things in my own words.  I want to avoid spin, misquotations and misrepresentations.  The issues in this case are often complicated.  I’ve put too much of my heart and soul into this case to have things thrown off course.  I have literally put months of my time into researching and bringing the complaint, and consistently following and attempting to fulfill my duties as class rep to the best of my ability.

Wired has some coverage and some commentary on the case from yours truly (read all the way to the bottom of the wired threat level page).  I’ll put up links to Google and google news and usenet and so forth as needed…

Read of my efforts to be an exemplary class rep. in the Elvey v. TD Ameritrade, Inc. pump-n-dump spam and Identity Theft litigation.

I discovered the information security breach by which the Social Security Numbers of all 6.3 million AMTD customers were compromised and proved that criminals, namely identity thieves, had gained access to the database they were in.

There are about a dozen settlement components I’d like to comment on, or have already commented on.  I welcome your feedback; just use the form on the bottom of most pages on the site, including this one.