In his Between the Lines blog, Larry Dignan discussed TD Ameritrade's data breach and his experience as one of 6 million Ameritrade customers affected. TD Ameritrade has hired ID Analytics, Inc. "to investigate and monitor for potential identity theft." According to Larry's blog, TD Ameritrade stated that:
- "Assets are safe since user IDs, personal identification numbers and passwords were kept in a separate database;"
- "Email addresses, names, addresses and phone numbers were taken. This fact explains why TD Ameritrade was investigating a bunch of spam complaints;"
- "Account numbers, date of birth and Social Security numbers were in the breached database but not taken."
Is TD Ameritrade doing right by its customers?
After a data breach, companies seem quick to declare the "there's no evidence... sensitive data was used" line. Just because Ameritrade claims there was no evidence of sensitive data taken (e.g., SS#, DOB) doesn't mean it wasn't taken. The lack of evidence doesn't mean a theft didn't occur, couldn't have occurred, or won't occur.
I call this "lawyer speak" and I wonder how often it is used to downplay the severity of a data breach or limit their liability. Lawyer speak can mislead ID-theft victims to believing the data breach isn't as serious as it really is. I encountered this lawyer speak with IBM, especially when IBM repeatedly made the same statement (no evidence of theft) and described the personal data as "lost" and not stolen.
Any time sensitive data is exposed, there is the risk it'll be used criminally. In my mind, the risk period is very long... basically the rest of the ID-theft victim's life.
Also, this lawyer speak seems to be the first step at shifting the burden of the data breach from the company to the ID-theft victims. As long as Ameritrade claims that the breach was spam, it's no big deal and probably not worthy of more aggressive actions... like providing Ameritrade customers with free credit monitoring and credit restoration services for the next 2 years. The burden today is on the ID-theft victims to monitor their accounts and find any evidence (beyond spam) of theft or fraud.
Fortunately, we've discussed on I've Been Mugged many of the issues confronting Larry and Ameritrade customers:
- Timely communications of information: Ameritrade should have a web site or site section dedicated to informing affected customers... with regular updates... not just a PDF of a press release in its investor relations site. Don't do what IBM has done: IBM hasn't updated tits data breach site since their original announcement.
- Status of the data breach investigation: Ameritrade claims that sensitive data (e.g., DOB, SS#) was exposed but not stolen. Huh? Identity thieves know the value of personal data. Ameritrade needs to provide clear evidence supporting this claim as 100% accurate, or abandon it. If Larry doesn't get this evidence, then he has to assume the worst and act accordingly to protect his identity.
- TD Ameritrade is required by law in many states to disclose the data breach. ID-theft victims should know their rights; some are state-specific. Good starting resources are the ID theft Resource Center and the Privacy Rights Clearinghouse. Links to more resources are in the column on the right
- Understand the best features in a credit monitoring service (which TD Ameritrade should offer Larry since their data breach created the ID-theft risk). Learn from the concerns with IBM's credit monitoring offer. Ameritrade probably won't offer ID-theft victims a credit monitoring service as long as they cling to the "no evidence that sensitive data was taken" claim and treat the data breach as a spam-only issue
- Understand the need t monitor credit reports and the limits of the Fraud Alert tool offered by the credit bureaus
If I were Larry, I wouldn't be so quick to accept TD Ameritrade's statement at face value. Why? First, identity thieves know the value of personal data. DOBs and SS#'s are far more valuable than e-mail addresses for spam. Second, the fact that hackers placed unauthorized code on Ameritrade's computers shows an intent to steal, to be stealth about it, and to steal continually. Third, this isn't Ameritrade's first data breach.
I suggest that Larry talk with Ameritrade about the data breach, as I did with IBM. I'd demand details about TD Ameritrade's data breach investigation, as I did with IBM. If Larry doesn't get satisfactory answers, he should move his accounts to another brokerage. I wish that I had that option with IBM. I didn't because IBM was a prior employer, and I didn't have a customer relationship with them.