Shostack + Friends Blog Archive


Once more into the Ameritrade Breach

Last week, I wrote:

It appears that Ameritrade is getting ahead of the story. Rather than have it dribble out by accident, they’re shaping the news by sending out a press release.

On further reading, both from readers commenting on that article, and things like Network World, “Ameritrade customers vent about data breach:”

The Ameritrade spokeswoman says the company believes no Social Security numbers have been taken because the only known illicit activity traceable to the breaches is spam, not identity theft.

Well, with a little more skepticism, words like “known” and “traceable” start to sound a lot less forthright. So perhaps my initial comment, that they’re shaping the news, was entirely on target, but in the wrong context.

There’s also this, from Information Week:

An attorney launching a class-action lawsuit against TD Ameritrade Holding alleges the online brokerage knew a hacker had access to a customer database as far back as a year ago.

As Rich Mogull says:

This is all Crisis Communications 101- as history has shown, the best way to defend your reputations in a major incident is to admit the failing, spare nothing to protect your customers, and act as openly and honestly as possible. Otherwise we wouldn’t have seen a bottle of Tylenol on a store shelf since the 1980’s.

It’s too bad Ameritrade won’t be the first company to really come clean in a major breach. Which means there’s still an opportunity for the CEO of another firm to get ahead of the problem and be remembered for their vision.

You’ll read about whoever it is here.

2 comments on "Once more into the Ameritrade Breach"

  • Ram says:

    First off I’ll say that I’ve twice caught TDA leaking my email address (once was very long ago) . Second and perhaps the tastier morsel given its novelty is that I’ve been receiving monthly statements for a TDA customer other than myself for three months. I have twice called TDA to alert them to the situation and they have twice assured me that the addressee does not have my home address (I live in a single family residence). None the less the statements continue to arrive.
    When I first contacted TDA I was concerned that this might be part of a long play against my account but now I’m holding to the more likely theory that they are operationaly deficient. Care to recommend an online broker?

  • Ken says:

    Your blog software does not allow me to post if I have multiple paragraphs

Comments are closed.