Analyzing The TD Ameritrade Disclosure
In a press release, TD Ameritrade this morning confirmed reports that it has been informing customers of a potential security breach. The release does not confirm the figure of 6.3 million customers, but a company spokesperson did give that number to reporters in interviews. (Dark Reading, “TD Ameritrade Breach Affects 6.3M Customers.”)
It appeared that no SSNs, account numbers, or other information was stolen. So why is Ameritrade announcing it, and what can information security professionals learn from this?
It appears that Ameritrade is getting ahead of the story. Rather than have it dribble out by accident, they’re shaping the news by sending out a press release.
Second, they’re shaping their customer response. Rather than hear about this from someone in a state with a broad disclosure notice, and worrying “was I affected, too” they’re telling everyone. That allows them to appear proactive and caring, rather than reactive and hiding.
Third, they’ve probably kept costs way down by not paying a law firm to analyze their requirement to disclose under a variety of laws.
Finally, they were smart early, and separated their customer data from the deeply sensitive stuff which was in a different database.
So what can someone who’s just been breached learn from this?
First, segment your data now. It pays off, probably more than a lot of products you might buy.
Second, when you encounter an incident, think about taking control of the situation, rather than letting the situation control you. Spending time planning for a variety of breaches will pay off, both for the the companies that are ready, and for the leader who initiated the process.
From: http://www.amtd.com/spam_faq.cfm
My read on the above is they feel comfortable concluding that SSNs for TD Waterhouse people were not taken, but they do not feel similarly comfortable about anyone else (or else they’d have said so).
So, do you believe they were wise to report even if they didn’t have to? If no SSNs or CC’s were disclosed then most if not all state disclosure laws don’t kick in.
We’ve had discussions in the past about privacy breaches and its certainly not all about financial data. But, if for example what was leaked was name, address, telephone, should they disclose? What if account balance was included? How about email address also?
GLBA is pretty weird on this point in that public information that a bank gathers as part of its business is covered, even if that information is generally known. That is, the bank is on the hook to not disclose it.
GLBA doesn’t cover Ameritrade, but its still a useful comparison.
Thoughts?
The “deeply sensitive” stuff was in the SAME database, not a different one. From TD Ameritrade’s press release:
“While more sensitive information like account numbers, date of birth and Social Security Numbers is stored in this database, there is no evidence that it was taken”
I am not convinced that this data was not accessed. I have also read speculation that this may have been an insider (a la Certegy/FIS).
I agree with you that segmentation is a very good thing, but more so I believe that confidential data at rest should be encrypted. Encryption is very misunderstood and under utilized.
TD Ameritrade had no choice in whether or not to disclose this incident. Too many of their customers were already suspicious due to the amount of spam they were receiving. As time passes, more details will certainly surface.
One comment that I haven’t seen mentioned in most news outlets is:
“This issue is not unique to TD AMERITRADE. It’s something that all companies involved in e-commerce should be aware of and prepared to address,” Moglia continued. “We participate in industry peer groups to share information on these types of threats in the interest of protecting all clients.”
This comment leaves a lot to my imagination!
The “shaping the story” bit is interesting, given that this problem has been going on for at least a year so far. I suppose that, given enough PR budget, such shaping can still have some beneficial effect for TD Ameritrade? Regardless, let’s cover here some of the reality.
TD Ameritrade has, like United Airlines et al, been leaking customer info for years now. Those who provide keyed email addresses to the company have repeatedly reported that days to weeks after an address change, pump and dump stock spammers were hitting the unique addresses. Most interestingly, according to the victims there were no indications in their mail system logs of dictionary attacks being used. The pump and dumpers were instead attacking the specific addresses that had been given soley to TD Ameritrade.
Throughout the mess, TD Ameritrade insisted that their customers’ home PCs must have been compromised so as to leak the addresses, while also claiming they could disclose no details due to an “ongoing investigation”. This was sensible boilerplate, even if seriously bad customer service, given reasonable fears of class actions regarding improper financial data disclosure. Along those lines, you’ll note that TD Ameritrade is still insisting in their announcement that no financial info was stolen during the compromise.
Within the last month, TD Ameritrade finally did two things. First, they canned a contractor company. Second, they notified the most persistent complainers that TD Ameritrade’s “ongoing investigation” had identified the problem. The actions may be coincidental, of course. Then last week they made their public announcement.
However, there may be a fly in that ointment. Keyed addresses purportedly given to TD Ameritrade after TD Ameritrade claims to have secured access to their compromised database are now being spammed by the same kind of pump and dump gang as before… Whee.
This breach happened quite a while ago – I use custom email addresses and confronted them on it months ago. This is the *second* time they’ve leaked my (custom to TDA) email address. The FAQ is careful to distinguish between TDA and TDA-Waterhouse. Presumably most readers here know that they would have a hell of a time knowing if someone read data from their DB.
I conclude that they are late to report, possibly in response to a threatening letter from a (California?) customer’s lawyer. Further they are strictly spinning the position for TDA non-W clients (of which I am one).
If TD deserves kudos it is for an effective snow job rather than effective security or integrity.