[ISN] Ameritrade warns clients about potential data breach

InfoSec News isn at c4i.org
Thu Apr 21 01:25:49 EDT 2005

Forwarded from: Faust <faust at grift.com>


By Todd R. Weiss

A computer backup tape containing account information of more than
200,000 Ameritrade clients was apparently lost or accidentally
destroyed while being shipped, prompting the online investment
brokerage to notify the clients of a potential breach.

Donna Kush, a spokeswoman for the Omaha-based company, Wednesday
confirmed that a package of data backup tapes was damaged in transit
in late February by a shipping company that isn't being named. Four of
the tapes in the package disappeared after the package was damaged but
three were later found by the shipper during a search of its facility,
she said.

The fourth tape is still missing and is presumed to still be lost in
the facility or to have been destroyed accidentally.

"We do believe that foul play was not involved," Kush said. "We don't
feel that any of the [client] information has led to any misuse."

The backup tapes held account information for clients and former
clients from 2001 to 2003, Kush said.

Last week, the clients began receiving letters from Ameritrade telling
them of the incident and offering one free year of credit-protection
services from Identity Track. Chantilly, Va.-based Identity Track
monitors credit profiles and alerts clients to activity that may
indicate identity theft -- including recent inquiries, new accounts or
address changes. Consumers can also access and review their credit

In its letter to clients, Ameritrade said it's adding another layer of
security to their accounts.

Kush wouldn't discuss what is being done in detail. "We're evaluating
our processes and procedures on what we do here and are making some
changes," she said.

Kush said the company acted as quickly as possible after learning in
late February that the tapes were missing. "It took some time to work
with the [shipping] vendor" after the loss was discovered, she said.  
"It took some time just to find those three tapes." More time elapsed
as the search continued for the fourth tape.

"We feel we acted promptly," she said.

The backup tapes weren't labeled with Ameritrade's name or logo or any
other identifiable information, Kush said. Although the data on the
tapes was compressed and special equipment would be needed to read it,
the information wasn't encrypted.

Under California law, which mandates that customers be told of
potential data breaches, the company would have been required to
notify about 175,000 of the affected former and current clients. But
Ameritrade chose to send letters to all potentially affected clients.

The incident differs from several other recent high-profile data loss
cases, which largely involved computer system break-ins or the thefts
of actual computers. Last week, about 106,000 alumni of Tufts
University in Boston were notified that personal information stored on
a server used by the university for fund raising could have been
exposed to intruders.

Last month, officials at the University of California, Berkeley, said
they were notifying more than 98,000 graduate students and applicants
about the theft of a laptop computer on campus containing their names,
Social Security numbers and other personal information. Another data
breach in March at data broker LexisNexis may have exposed personal
information of some 320,000 people (see story), while credit and
personal information vendor ChoicePoint sold personal information on
about 145,000 people to thieves posing as legitimate businesses.

That incident was made public in February.

More information about the ISN mailing list