TD Ameritrade breach


How do I feel?

I feel like the justice system has let me down, like the Wall Street protesters who, e.g. want to see the executives of my former employer who lied to congress at least get arrested.

TD Ameritrade (TDA) has refused to pass a security audit, and the attorneys supposedly representing the class are OK with that. If TDA had secured their customer data properly, they would, most certainly, be eager to show their customers and target market.

My friends and I are angry that TDA’s security is still Swiss cheese. Earlier this year, they accidentally admitted that they didn’t even have an IDS or IPS system in place! I hear they still don’t encrypt customer data and still grant staff far more customer data access than is needed to do their jobs. They’re in violation of Massachusetts law. They’re literally making millions serving customers over the Internet that they wouldn’t make without the Internet, but not taking the small steps necessary to protect those customers. They spent millions on attorneys (at one judge-managed mediation session, there were ~30 attorneys present.) Instead of covering up their mistakes, they should be doing the right thing.

They profit off the Internet, but won’t invest in it! Their databases are an open book to gangs and even determined high-school students. They should be hiring and training their staff and deploying resources so that they can pass a security audit. They’ll get hacked again. And when they do, they’ll be back in court. And this warning, which I delivered in court, will haunt them.

The Armstrong court cherry picked which objections in my final filing to address and which to ignore.  The court demonstrated that it doesn’t even understand the 9th District’s own General Order (regarding PDFs) because it’s too technical!  (Even though it’s quite simple.)  There’s no way it understood all the key technical security issues in this case.

There’s been a news blackout with respect to the fact that TD Ameritrade actively covered up the security breach, as the whistleblower-sourced information I’ve published here details.

I’m glad that TD Ameritrade has at least received some bad press for its disgraceful behavior, and that those who filed claims are expected to receive significant compensation.  I’m glad that the bulk of the class is at least somewhat aware of the breach.  Unfortunately, the insignificant cost of this settlement sends the message that executives who underfund the Information Security department and direct the cover-up of a security breach breach are making the right choices, as far as the financial interests of shareholders go.  TDA would need to spend more than it spent settling this case to shore up its security enough to pass a proper audit.

I called the Claims Administrator yesterday, at 1-888-749-8173. The firm is well known in its field: Rosenthal & Co, which part of Computershare.  What a fiasco!

WarningDO NOT USE the information (more…)

NEW: You can review and comment on the key documents, which I’ve posted in editable wiki form at http://caringaboutsecurity.wikispaces.com! Cool, huh?(I’ve not posted the less important documents to the wiki. Just exhibits A, F, and G for now.) Please take a look and provide feedback. Smile

On December 9, 2010, I filed and argued in court against the motion for preliminary approval:

Elvey_Response_to_Kreinder-TDA_offer.pdf describing our concerns.  I’d highlight them thusly:  We pushed for an effective audit.   This settlement proposal notice is misleading and poorly publicized, and so cannot be fair.  It has an audit component that to the untrained or hasty eye is meaningful compensation, but (more…)

AVPageView-05042011-100856.bmp

An actual HMG IS2 Full Accreditation Statement based on an actual ITSHC – an actual security audit by Deloitte, one of the Big Four audit firms – which demonstrates the auditor’s reputation has been put on the line, as well as the legal liability shouldered by such an audit.
Author: George McLeod, National Accreditation Manager, NPIA

Judge Walker has said that the audit component primarily benefits TD Ameritrade, not the class.  Here’s why I think a good audit component substantially benefits the class.  (more…)

The proposed settlement has been thrown out!

What did I think of the decision?

What do I want to see happen?

The media is asleep on the job?

(more…)

THE SNOWJOB TD Ameritrade’s PR goons pulled is unraveling.  UCAN’s Privacy Rights clearinghouse run by Beth Givens has corrected its database entry for the breach.  Attrition.org/datalossdb.org  have corrected their entry.  Both now indicate that social security numbers were compromised.

Today is the hearing on approval of the settlement –  at 10 AM (September 10th) in Courtroom 6, 17th Floor, 450 Golden Gate in San Francisco. Wish me and my Allied Forces luck.   I expect several parties will/won’t speak: (more…)

Ted Frank writes here that

To date, there is no evidence that the spam was connected to Ameritrade, or that a breach of Ameritrade data security that released home addresses for its customers has resulted in any harm, despite Ameritrade seeding databases with dummy spam-catcher e-mail addresses, and multiple analyses of whether identity theft had occurred.

Wow.  Is this guy actually too stupid to be allowed near a computer keyboard, or is he just trying to spin things in the usual AEI way?  This guy has an impressive reality distortion field around his head.  This is totally contradicted by the complaint, and supported by the evidence filed in the case. There is, the complaint explains, ironclad proof from a large number of computer gurus that the spam was connected to TD Ameritrade, namely that the spam was sent to unique email addresses stolen from a core TD Ameritrade customer database.  A database which TD Ameritrade has admitted got broken into and plundered.  That it admitted contained the names, addresses, social security numbers, dates of birth, and account balances of its 6.3 million customers.  But Ted Frank’s ostrich-style thinking is like that of TD Ameritrade a firm that is claiming that it’s plausible that crooks breaking into the equivalent of Fort Knox would leave the gold (the Social Security Numbers) and just take the silver (the email addresses).  That a rash of Identity Theft that began right after the breach was discovered does not constitute evidence connecting the two.

STOP znw-5#%—NO CARRIER
ABORT: -PEBCAK

Thank Yous are due to many folks who helped me in this mission. (more…)

If you have a TD Ameritrade account and use M$ Windows, you should read this Washington Post article.  Kudos to Brian Krebs; he is doing truly excellent work!

I hope to be seeking new counsel soon (i.e. new lawyers to represent me AND the class on a contingency basis). (more…)

I don’t understand why Scott Kamber, Bob Kris, and the rest at KamberEdelson and TD Ameritrade persist in attacking me, as they spent much time doing at the 9/15/08 hearing.   Their attacks to date have consisted of claims that not only are not backed up by evidence, they are actually refuted by it.

Surely, they’re too smart to not realize that persuasion only goes so far in the face of cold hard evidence. (more…)

Much is on the record now.  I just filed this brief and this declaration with the court, prepared by my new counsel.

We shred the proposed settlement.  We mention (more…)

SeekingFOUND: Heroic Whistleblower

Update (May ’10): Since early ’09, I’ve been receiving information that answers many questions about the breach.  Since notified of the breach in October ’05, TD Ameritrade launched 4 related investigations.  I know who ran each one and the detailed findings, if they come to light, will be very embarrassing to those who performed them.  All of them were apparently designed to not find anything and provide plausible deniability.  The Information Security department appeared to have ‘successfullyfailed to find what many of their customers, including several prominent ones, knew: someone was stealing massive amounts of customer PII from their computer systems.  But increasing pressure due to my lawsuit led to a fifth investigation, which found evidence of the problem.  Later investigations were also apparently designed to – and ‘successfully’ failed to – find evidence of massive identity theft due to stolen Social Security Numbers.  Those who were instrumental in these ‘successes’ were rewarded handsomely, while those who found evidence of the breach were punished severely.  I’ve updated this post to publicly provide a bit more information from the whistleblower than what I had previously disclosed.

Help!  I’m hoping a whistleblower will step up to provide additional info regarding the extent of the TD Ameritrade breach. (more…)

Read of my efforts to be an exemplary class rep. in the Elvey v. TD Ameritrade pump-n-dump spam and Identity Theft litigation. (I discovered the information security breach by which the Social Security Numbers of all 6.3 million+ AMTD customers were compromised and proved that known criminals had gained access to the database they were in. )

(UPDATED December, 2011) Finally, a little of TD Ameritrade’s money is going to a few of the class members it ripped off.  It’s taken 6 years to get here!  Though TD Ameritrade refuses to pass a security audit and covered up the breach, the government (in the form of the SEC and the federal judiciary), and the Financial Industry’s self-Regulatory-organization Authority (FINRA, nee NASD) have let it off with a ‘slap on the wrist’ that will have no material impact on the company. I guesstimate the  ‘slap on the wrist’ was over $40 million:$6.5 million for the settlement, plus the cost of my attorneys, their attorneys, printing, stuffing and mailing over 12 million letters, litigation costs (flying dozens of attorneys to San Francisco), increased insurance costs, loss of business, etc.)   Criminals had gained ongoing access to TD Ameritrade’s customer database back in October, 2005.   This database contains 6.3 million+ customers’ names, addresses, mailing addresses, email addresses, trading histories, account numbers, account balances, dates of birth – oh, and social security numbers too.  AMTD knew of, covered up, and failed to fix the problem for TWO YEARS. How do I know this?

Notes for new readers:

  • If you’re new here or found this useful, or just want to offer your support or feedback, please add a comment. I will keep the comment private, if you prefer. (Oops; they were turned off.  On now. Moderation is on.)
  • This article is sticky, which means it always appears at the top. Other articles appear below this one, newest first.
  • The blog may be easiest to follow if you start with the oldest post first.  Just scroll down and start there.
  • Like on many blogs, only part of each article on the site appears on the main page. (The whole article becomes viewable if you click the title.) The bulk of the article becomes viewable if you click the “(more…)” tag after reading to the end of the teaser text. Like this:

(more…)

Welcome to Trials and Tribulations, a.k.a. caringaboutsecurity.wordpress.com, a.k.a. AMTD.elvey.com.

I’ve finally (belatedly!) started a blog where I can post about my case.  I want a place where I can say things in my own words.  I want to avoid spin, misquotations and misrepresentations.  The issues in this case are often complicated.  I’ve put too much of my heart and soul into this case to have things thrown off course.  I have literally put months of my time into researching and bringing the complaint, and consistently following and attempting to fulfill my duties as class rep to the best of my ability.

Wired has some coverage and some commentary on the case from yours truly (read all the way to the bottom of the wired threat level page).  I’ll put up links to Google and google news and usenet and so forth as needed…

Read of my efforts to be an exemplary class rep. in the Elvey v. TD Ameritrade, Inc. pump-n-dump spam and Identity Theft litigation.

I discovered the information security breach by which the Social Security Numbers of all 6.3 million AMTD customers were compromised and proved that criminals, namely identity thieves, had gained access to the database they were in.

There are about a dozen settlement components I’d like to comment on, or have already commented on.  I welcome your feedback; just use the form on the bottom of most pages on the site, including this one.