Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror

Data Theft Notifications - How Soon is Too Soon? 137

Posted by Cliff
from the sooner-than-later dept.
bsdbigot asks: "I started getting a bunch of stock-tout spam in the last month or so. The other day, I happened to look and see it was coming in to an email address I had dedicated to my online trading account account. I've spoken to the online trading company, and I've given them the info on these spams. It turns out there is an 'ongoing investigation,' which includes 'outside agencies,' but they stop short of saying that there is any theft or breach. How soon should such a company let its customers know that their data has been compromised? Should they wait until they have all the details and have plugged the breach, or should they let customers know that there is a possible problem as soon as they recognize it?"
"Personally, I believe a security breach has occurred. So, I asked them how many people are affected by this; they feel certain that it's an isolated problem, because they haven't received a deluge of complaints. They don't know how these spammers got my reserved email address from my online broker (but they didn't sell it, they are quite clear on that), so how can they be so certain it's not their entire database, and how can they be so sure that things like my SSN and bank routing information wasn't also stolen?"
This discussion has been archived. No new comments can be posted.

Data Theft Notifications - How Soon is Too Soon?

Comments Filter:
  • Do more (Score:4, Insightful)

    by omeomi (675045) on Friday September 22, 2006 @10:45PM (#16164743) Homepage
    They should do more to keep it from happening in the first place. Seriously, there's a new breach at some major corporation or government office every other week or so. It's ridiculous.
    • Re: (Score:3, Funny)

      by bky1701 (979071)
      Damn software pirates stealing data!!!!1!111!11one
    • Re:Do more (Score:4, Insightful)

      by AusIV (950840) on Friday September 22, 2006 @11:24PM (#16164899)
      That's easy to say, but it's really not so simple. Some data leaks happen because of software issues. More likely an employee figured they could make a buck selling data. Hiring more trustworthy employees requires paying more money, and that has to get passed on to the customers, who in turn take their business somewhere cheaper and less trustworthy. Customers want security, but they're not willing to pay a little extra for it.
      • Re:Do more (Score:4, Insightful)

        by omeomi (675045) on Friday September 22, 2006 @11:39PM (#16164955) Homepage
        Hiring more trustworthy employees requires paying more money, and that has to get passed on to the customers, who in turn take their business somewhere cheaper and less trustworthy

        For companies and agencies that have to have highly sensitive information like SSN's on file, there should be an exceptionally small number of people who have access to that information. A small enough number that I can count them on one hand. And none of those people should ever be allowed to take any portion of that list out of the system in any way, not on a thumb drive, not on a laptop, nothing. The vast majority of the employees should only be able to access the last 4 numbers of any given person for varification purposes.
        • Re:Do more (Score:4, Insightful)

          by houghi (78078) on Saturday September 23, 2006 @04:06AM (#16165877)
          For companies and agencies that have to have highly sensitive information like SSN's on file

          First start with the fact wether or not the company needs the SSN or not. When in doubt, the answer is no.
          employees should only be able to access the last 4 numbers of any given person for varification purposes.

          It is a Social Security Number, not a Person Verification Number. If you use it for anything else then for Social Security reasons, you do not need to get it in the first place.
          The best way not to loose the data or be tempted to sell it is not to have it.
          • First start with the fact wether or not the company needs the SSN or not. When in doubt, the answer is no.

            In this day and age, the answer is Yes. Names change - people get married, divorced, decide to use Chuck or Charly instead of Charles. People move. Matching things up on these two - name and address - works 99.9% of the time (with a little effort) - but isn't absolute. SSN (and SIN for those in the Maple Leaf state) allows a match for that final 0.1% percent. (Yes, SSN change occasionally too, but

        • by ultranova (717540)

          And none of those people should ever be allowed to take any portion of that list out of the system in any way, not on a thumb drive, not on a laptop, nothing.

          And who's going to enforce this rule ?

          It is impossible to design a system that is immune to corruption, especially if the designers/maintainers themselves could possibly be prone to it. The only solution is to pay enough money to your employees that they don't want to risk their job, and treat them well enough that they don't want to screw you -

          • by omeomi (675045)
            And who's going to enforce this rule ?

            I never said it should be a rule/law or anything like that. However, I think it's a policy that corporations / gov't agencies / universities should get through their thick skulls, and the only way that's going to happen is if the consumer gets fed up enough to do something about it. Losing customer's private information is not acceptable. Ever. When I was in college, I had to argue with one of my teachers to keep her from posting my SSN on the wall in the hallway wi
            • by ultranova (717540)

              I never said it should be a rule/law or anything like that. However, I think it's a policy that corporations / gov't agencies / universities should get through their thick skulls, and the only way that's going to happen is if the consumer gets fed up enough to do something about it.

              You missed my point. If there's a corporate policy that only select few may access the data, then there must be someone who enforces this policy and keeps everyone not authorized to access the data from accessing it. Who guar

      • by Asic Eng (193332)
        Customers are not willing to pay more on the mere chance that the data is more secure. This is a great example of a market not delivering what customers want, because finding out whether one company is better at providing the service than the other, is close to impossible. (I'm joking of course, the market is the only perfect thing in the known universe.)
      • by aussie_a (778472)
        That's funny. I know plenty of people who buy doors with better locks then cheaper doors. Guess they're just fictional people though?
        • by AusIV (950840)
          When you buy a door with better locks, you can see out right that you're getting better security. If it costs a little bit more to do business with a company, but the extra security is not obvious, customers will go somewhere else that charges less. If someone does a lot of research to find out that a company has a much beter track record than a cheaper competitor, they might go to the more expensive company, but this is probably a small enough percentage of people that businesses can't depend on them to ma
      • by canuck57 (662392)

        That's easy to say, but it's really not so simple. Some data leaks happen because of software issues.

        It is actually simple, it is about priorities. Business says "Gotta have that (insecure unstable) app at all costs". Security says "It is a big risk". Management derates security over a vendor lunch until a breach occurs. Senior management does a knee jerk. Repeat until lesson learned or out of business.

        Hiring more trustworthy employees requires paying more money

        Very true, yet you get a drug test b

        • Re: (Score:3, Interesting)

          by The Snowman (116231) *

          Very true, yet you get a drug test but how many firms do a background or credit check on everyone who comes in contact with the data? Are your contractors liable?

          Employees and contractors coming in contact with money, financial data (of which SSN is one piece), and any other customer data should be bonded. That is not a perfect solution, but a good first step. Try working in a bank branch without being bonded -- probably not going to happen. Banks know there's a lot at risk (and the government probably req

    • by sumdumass (711423)
      I had a two simular email address that I used only for two seperate things. Everything was fine and dandy untill they started being flooded with spam.

      Turns out someone misconfigured a mailserver and someone was able to havest the email acounts for all the domains configured on the server. The other problem was traced to some bullshit E-Greeting card that my girlfriend devided to open when she checked her mail. Several weeks after the problem started on that address, the same E-card she sent me was implicate
    • by sgt_doom (655561)
      Hmmmm...Commerce "loses" over 1,100 laptops -- about the same number of laptops required for a coordinated national elections rigging.

      Hmmmmm....

  • Safe/sorry (Score:5, Informative)

    by sporkme (983186) * on Friday September 22, 2006 @10:52PM (#16164777) Homepage
    Lock it down. [ftc.gov] Cancel the email account and have any attached credit cards cancelled/changed. Change your checking account number. Keep thorough records and dig to find recent bank statements, etc. This can be a huge hassle.

    File complaints with the federal and your state Attorney Generals against the trading company immediately. Consider a 6-month paid monitoring service from a major credit reporting bureau. Both the feds and your state will have advisory hotlines. IANAL and slashdot is not the place you want to go for this kind of information. Basically, don't fsck around if you think anything has been compromised.

    I've been there, and these steps cost me a few dollars but saved me tens of thousands. Overseas types are pretty damned creative with your numbers. paranoid != not out to get you.
    • by petes_PoV (912422)
      Overseas types are pretty damned creative with your numbers

      So what are you saying? American fraudsters are dumb?

      Maybe someone should start a campaign to get them up to the same level of skill as those from other countries. Or is this more of a reflection of the level of education.

      Anyone going to start offering college courses in electronic fraud. If you do, don't accept any form of payment except cash.

      • by sporkme (983186) *
        No, genius, US Attorney Generals do not exactly have jurisdiction over the overseas types --hence the emphasis. Please, don't anyone train US resident scammers! What are you arguing here? Just felt like posting? Did I somehow indicate that I am prejudiced against US Citizen scammers vs. foreign ones? Are you standing up for some group, whose rights I have trampled? I mean, really... bouncing off the walls.
        • I think what petes_PoV was picking up on is just the fact that 'overseas types' is such a crass and outdated notion and turn of phrase. For a start, the internet is an international audience, so using this term is very US-centric and out of place. It is also a really easy way to offend all of us 'overseas types'. It's like me saying "those USA types are really dodgy characters" - IOW it's a sweeping generalisation with no basis in fact.

          Is Canada overseas? How about Mexico? Columbia? It's a fairly big co
    • Consider a 6-month paid monitoring service from a major credit reporting bureau.

      With [slashdot.org] how [slashdot.org] often [slashdot.org] it's [slashdot.org] happening [slashdot.org], it may already be paid for for him.
    • Oh, and don't forget to change your SSN as well. And just to be safe, have that tattoo altered. Pick something else obvious for your dog's name. And for God's sake, change your luggage combination!
    • by nexu56 (566998)
      bugfix: paranoid != out to get you
    • by Alchemar (720449)
      A lot of people think this is extremem, but they just don't understand that once someone has established your SSN, there is nothing you can do that works. You can get letters to show people that run a credit check, but it will not come off your record for 7 years, and most people that are running a credit check won't give you the chance to explain. This includes housing, employers, and your car insurance. If you can get by without those, you probably don't need to worry about ID theft anyway.

      I went to

    • If some nefarious evildoer got ahold of EVERYTHING, not just your e-mail address, you would be getting a lot more than spammed stock touts. I really doubt the OP's SSN/Checking Account has been compromised.

      Think about it, if you are some bad guy with the complete customer records of XXX,000 brokerage customers, what are YOU going to do with it? Send out a measly XXX,000 e-mails touting some worthless stock, or just steal the money out of the checking accounts outright?

      To me, this sounds like some greedy m
  • It turns out there is an 'ongoing investigation,' which includes 'outside agencies,'

    Kudos to you! I'm surprised that you have gotten as much information from them as you have. When a breach occurs, a company's first response is always to circle the wagons and cover up the mishap a soon as possible. This means keeping the bad press from anyone that doesn't already know, especially including the people in their customer service department who could let a thing like this slip.

    But in answer to your quest

  • Plug the hole first (Score:4, Interesting)

    by ShaunC (203807) on Friday September 22, 2006 @10:55PM (#16164789)
    Should they wait until they have all the details and have plugged the breach, or should they let customers know that there is a possible problem as soon as they recognize it?
    If there's actually a security situation, I'd rather they plug the hole first prior to making an announcement.

    As soon as it becomes public knowledge that they've got a vulnerability somewhere, the number of people poking around their interface attempting to stumble upon that hole (or other ones) will skyrocket. Better to fix known problems before they essentially invite the community to look for chinks in their armor. That said, as soon as any known holes are patched, they should inform the affected users; or, if they can't determine whose information was nabbed, they should alert all of their customers.

    Keep in mind that no matter how suspicious the circumstances, unless you use that email address solely for your brokerage account, there's really no way to prove a connection unless the company admits it. A friend of mine started playing online poker, used his email address to sign up for the site, and doesn't get any poker spam. A week or so later, his wife started getting a ton of poker-related spam at her email address. It's just a coincidence, though it's about impossible to convince her of that.

    I've seen a huge uptick in stock spam lately, across the board (I have a number of email accounts and only one of them is tied to a brokerage). Maybe you're just on the same spam lists :)
    • by ShaunC (203807)
      I missed the part about "dedicated to my online trading account account." It sounds like there's definitely been a breach, but my opinion of when customers should be notified remains the same.
    • by pthisis (27352)
      They should disclose immediately. There are clear steps you can take for your own protection (cancel online access if possible, close accounts, etc). The longer they wait before disclosing, the more vulnerable you are.

      The argument that they need time to fix the system before disclosing is a common one from places that don't care about security; they hate full-disclosure lists, favor only vendor disclosure, etc. And the "we need time to fix it" argument is a core part of their anti-security stance; it ign
  • by Jah-Wren Ryel (80510) on Friday September 22, 2006 @10:58PM (#16164803)
    Here's my story, it meanders off-topic but I think it is worth posting as an example of another kind of data breach, one caused by corporate greed:

    Like the article-poster I'm one of those guys who uses individualized addresses for each online entity they deal with, as in slashdot thinks my email is slashdot@mydomain.com, amazon thinks it is amazon@mydomain.com and etrade thinks it is etrade@mydomain.com - those examples are simplified for illustrative purposes.

    A while back, before the bubble burst, I dabbled in some options trading in my etrade account. Therefore, Etrade's marketing department decided that would make my contact information something they could sell to the CBOE and I started getting bi-weekly spam from somebody on behalf of the CBOE trying to sell me all kinds of bullshit options information -- all sent to my etrade-only address.

    After about a year of that crap, it finally stopped on its own. But then I started to get spam from the same mailing-list operator that the CBOE had used, but this time they were promoting other brokerages like TD Waterhouse, and most recently "TradeKing" which seems very questionable.

    Whenever I get one these brokerage spams, I have to laugh. Etrade breached my privacy to make a buck or two and I'm sure they did the same thing to tens of thousands of other customers. But the end result is that their competition now has a confirmed mailing list of etrade customers, and the stupid greedy bastards GAVE it to them.

    I've since opened an account with TD Waterhouse (aka Ameritrade) and make most of my trades through them, in part because of etrade's callous treatment of my privacy. I wonder how many others have done the same...
    • by (H)elix1 (231155) <slashdot.helix@nOSPaM.gmail.com> on Friday September 22, 2006 @11:15PM (#16164865) Homepage Journal
      And for those who can't run their own email servers, a handy trick for those using a gmail account is to add a '+' to the user name, and it will deliver. Say I had a gmail account called slashdot@gmail.com. I could email slashdot+etrade@gmail.com and it will resolve to the slashdot@gmail.com address. Very handy for finding out who is being bad with privacy information when they ask for an email address.
      • by chgros (690878)
        a handy trick for those using a gmail account is to add a '+' to the user name
        The problem is that at least 1/2 of the services on the web will consider this an invalid address (despite it being perfectly valid). Very annoying.
      • Re: (Score:3, Insightful)

        by jfengel (409917)
        I would expect that a spammer would automatically strip out anything after the +, but I don't have any experimental data on that.
        • Have to admit I'm clueless about "allowable" characters in an email address, but suppose a user happened to use the plus sign (+) in their username, but not in the context of the discussion. It would mean the spammer would possibly miss a target (by stripping everything after the +), which they'd avoid if possible, presumably. I guess most likely they'd spam every possible iteration since it costs them nothing to cover all bases.
      • by Asic Eng (193332)
        Another good option would be to use http://sneakemail.com/ [sneakemail.com] You can generate addresses there each time you need to specify an email address - all the mail to these addresses will then be forwarded to your main account. If one of the addresses starts to bring in spam you can just remove it - and you know who caused the problem, too.
      • by ccarr.com (262540)
        And for those who DO run your own email servers (and DNS servers) I offer this method: your_name@etrade.example.com, your_name@slashdot.example.com, etc. In other words, but the unique part in the third-level domain instead of the user name.

        Down sides: creating a new address is more involved; if you don't control your own DNS servers, you have to wait for the zone to reload. I've scripted most of this so that I can set up a new one in under a minute.

        Up side: when an address is abused, you just yank th
        • You could always setup a wildcard mx/wildcard dns servers, so even foo@thisdoesntexist.mydomain.com works.
          • by mibus (26291)
            You could always setup a wildcard mx/wildcard dns servers, so even foo@thisdoesntexist.mydomain.com works.

            That would mean his server still has to respond to the spam. His way, the spammer's DNS lookup of the domain fails and there's absolutely no effort on his part to deal with the deluge of spam to that address.
    • by DuctTape (101304)
      I've since opened an account with TD Waterhouse (aka Ameritrade)...

      Ameritrade/TD-W also let its email addresses out, too. My specifically-for-Ameritrade email address got vanilla (same type as my other accounts; not investing at all) spam. So I changed it. Again.

      DT

    • Re: (Score:3, Interesting)

      by ptbarnett (159784)
      Like the article-poster I'm one of those guys who uses individualized addresses for each online entity they deal with [....]

      I do the same thing. So, I'll get to the point quickly...

      The email address that I use for my Hertz rental membership has been distributed to spammers, twice. The first time, I sent a complaint and after a while I got a patronizing response about how it couldn't be them, and was instead someone else to whom I had given the address. It must have been a form response, as I had alr

      • by phopon (977751)
        how difficult would it be for a network technician to configure a router/switch and modify an open-source network sniffer to snatch email addresses from the stream of email going to/from their customers -- and keep it hidden from anyone else that isn't in on it?

        Well that wouldn't be technically difficult, but most ISPs that I have experience with work VERY hard to prevent people from doing this and you would be an idiot to use this resource to steal email address's. The more prudent thing to do if you had

    • by DieByWire (744043)

      I've since opened an account with TD Waterhouse (aka Ameritrade) and make most of my trades through them, in part because of etrade's callous treatment of my privacy. I wonder how many others have done the same...

      That's ironic, because the email account I used for Ameritrade only became the target of pump and dump spam.

      To give them some of the benefit of doubt, it was ameritrade@somedomain.com. I wouldn't be surprised if the pump and dumpers use similar addressesfor all the domains they spam.

    • by edp (171151)
      I will add "me too" on the Ameritrade issue. My unique Ameritrade address was leaked before 2005-10-31, and a different unique Ameritrade address was leaked between 2005-11-24 and 2006-8-11. They did not respond to the first letter I sent about it, but now they have acknowledged the problem. At this point, they have to know when it happens, people will know.
    • by NevarMore (248971)
      "But then I started to get spam from the same mailing-list operator that the CBOE had used, but this time they were promoting other brokerages like TD Waterhouse, and most recently "TradeKing" which seems very questionable."

      "I've since opened an account with TD Waterhouse"

      So you have done buisness with a company knowing that they advertise by spam.

      I do give you some credit, a 5 minute search failed to yield an email address though you are an avid Slashdot poster and a home theatre afficionado.

      Still. WTF man
      • So you have done buisness with a company knowing that they advertise by spam.

        Depends on how you look at it. Although I use the term spam loosely, I blame etrade for giving my address away in the first place, not the mailing list operator for using it - as far as I know, they have every right to think it is legit since they got it officially from etrade. If I were to interpret it strictly, I would never trade options either as it was the CBOE itself that first spammed me via etrade.
      • here's a little secret for ya. Every company is a spammer.
    • by kelnos (564113)
      I guess what I'm now wondering is... if TD Waterhouse/Ameritrade is willing to go and buy lists of competitors' customers' email addresses and then start spamming them, are they trustworthy enough not to sell out their own customers? Not saying that one implies the other, but IMHO both are at minimum somewhat-sketchy practices.
    • by fm6 (162816)
      To answer the question in your subject line: about as stupid as most companies nowadays. Selling your customer list to your competitors is bad for long-term growth, but good for beefing up your short term numbers. And it's the numbers dweebs that own 21st century capitalism, so that's all they care about.

      I used to buy a lot of stuff from Lands End. Then I got poor for a while, and switched to cheaper sources. Now I'm rich again, and I returned to my khaki addiction. During the interim, Lands End was bough

  • I got that too (Score:1, Interesting)

    by Anonymous Coward
    I think I have been getting the same spam, which really bugs me because until a few weeks ago I only got ~1 per month that missed the junk filter in my catchall account, but not I get ~5 per week to my personal email address (that I try not to give away). Do the emails go something like this:
    --

    Explosive pick for our members.

    A massive PR campaign is starting now! MAJOR NEWS!!!

    Trade Date: Monday September 18, 2006
    Company: LAS VEGAS RESERVATIONS
    Ticker: LVCC
    Current price: $1.25
    5-day Target: $4.00-$6.00
    Get In N
  • by mikem170 (698970) on Friday September 22, 2006 @11:08PM (#16164839) Homepage
    Objectively you did not prove how the spammer got your email address. It might have been a breach at the trading account company. It might have been someone capturing traffic at your ISP.
    • Re: (Score:3, Informative)

      by Asic Eng (193332)
      The trading company might also have given out the address voluntarily (and now doesn't want to admit to that) or it could be a lucky guess of the spammer (maybe a dictionary attack of sorts). I know they used to try use commonly-used nicks on my domain for a while. (Then I turned the catch-all off...)
    • Or it might just have been a guess. I have email addresses which I have NEVER given to ANYONE and they still attract spam. These guys just randomly combine names with domains in the hope of hitting a live account.
  • I create addresses specifically to receive mail from retailers I order from. For example: companynameorderjunk@mydomain.com.

    I NEVER type these addresses anywhere, and they are not something a wide net spam sender would guess...

    Over the last few years i have had about 4 situations where those very account specific addresses began receiving a LOT of spam.

    The sites included Dell, and PCMall. The PCMall ones very primarily sexual in nature...

    I have thought of every possible way they could have gotten that addre
    • I used to do the same thing with Sneakmail(ranomly generated disposable email addresses). These spam floods aren't necessarily from breaches, but from sharing with partner companies. Companies' information policies are subject to change, and once your info starts flowing to other companies, it's hard to control.
      • > These spam floods aren't necessarily from breaches, but from sharing with
        > partner companies.

        Same thing.
    • I NEVER type these addresses anywhere, and they are not something a wide net spam sender would guess...

      You think that nobody has ever come up with this idea before, creating unique mailboxes for various relationships? I've been doing it for 6 or 7 years, and I've taught dozens others the same idea. I probably got the idea from someone else or an article I read online or in print. But regardless, it is a simple and logical scheme that some savvy spammers are bound to figure out on their own (more so now

    • by Rick Zeman (15628)
      I have thought of every possible way they could have gotten that address, and a security breach seems like the only feasible way. I have never typed those addresses anywhere else (no forums, no re-use on other sites, etc...), have never had a virus or spyware on my machine (OSX, thank you very much), so there is really one source for those addresses, the companies internal database.

      anyone else experience this before?


      Yeah, my wife and I both use Macs at home ("Rick, you work with Windows every day at work; w
  • As an operator of a mailserver I know I do frequently get dictionary attacks (searching through names for mailing addresses) and sometimes these turn up addresses which aren't used (like my "stats" account or mail sent to "apache" or "mailman"). Usually these addresses later received subsequent spam - and often it is the most shady kind of spam such as the stock scam emails. So it is possible that the address may have been discovered through this means.
  • by SysKoll (48967) on Friday September 22, 2006 @11:19PM (#16164879)

    "I started getting a bunch of stock-tout spam in the last month or so. The other day, I happened to look and see it was coming in to an email address I had dedicated to my online trading account account. I've spoken to the online trading company, and I've given them the info on these spams. It turns out there is an 'ongoing investigation,'

    Is the trading company called Ameritrade by any chance? They got a leak problem, maybe an insider job. Look at this thread on spamgourmet (an anti-spam site that I help with): http://bbs.spamgourmet.com/viewtopic.php?t=81&star t=60 [spamgourmet.com]

    • Re: (Score:3, Funny)

      by dangitman (862676)
      [spamgourmet.com]

      Damn, I went there looking for recipes. Please stop using misleading domain names.

  • Ongoing Investigation? Was the company hacked? Was a CIA Agent's name leaked?
  • Victims should be told right away that it is suspected that there was a breach, and outlined how an investigation will be performed. But it should be careful (mostly for legal reasons) that it be reserved and only enough information be given.
  • by sharp-bang (311928) <sharp.bang.slashdot@NOSpAM.gmail.com> on Friday September 22, 2006 @11:44PM (#16164977) Homepage
    In the banking industry, the applicable regulation [federalreserve.gov] is fairly strict... the institution must "promptly" notify customers of a material breach and there are relatively few loopholes. So if your broker or whoever was part of a bank, then this would apply. However, if your e-mail address was all that was compromised, they don't really need to notify you. By definition, e-mail addresses are not private information, any more than your physical address is. A number of states, notably California [ca.gov], have privacy laws that can be invoked, but the trigger for a material breach is usually the compromise of a combination of personal identifying data such as name and address (including e-mail addresses) and sensitive nonpublic personal information such as login credentials, account numbers, etc. You might see whether there is a law in your state [consumersunion.org] that applies.
  • I'm a vet (Score:1, Troll)

    by PHAEDRU5 (213667)
    So, there I am, riffling through the mail. I see a letter from the VA. I read it. It says "Dear Vet, Apart from hating you, we also might have lost enough information to allow Russian gangsters simple access to all your financial holdings."

    Then I get a letter that says "Never mind."

    I really do believe that the Feds have begun to channel Rosanne Rosanna-Danna.

    Oh. PS from the Feds: "We still really hate you. Please die soon. Quietly."
  • Before it happens?
  • Lately I've gotten lots of stock spam through a sneakemail address assigned to VMWare. The interesting thing is that I used two separate sneakemail addresses, one for the demo download and one for the purchase of VMWare Workstation. All the spam goes to the demo address so it's tempting to think that they sold it. There's probably a less sinister explanation but the point is that blatant stuff like this does happen with reputable companies.

    Sneakemail users will recognize the format in the From line:

    Recei
  • Spam is often sent to made up addresses. So, if your email address was "joetrader@foo.com", it is entirely possible that a spammer synthesized the address. You need to use addresses that are not easily guessable, for example, joetrader@foo.com. If you already had a hard-to-guess address, then you have a point.
    • by Who235 (959706)
      So, if your email address was "joetrader@foo.com", it is entirely possible that a spammer synthesized the address. You need to use addresses that are not easily guessable, for example, joetrader@foo.com


      I agree.

      Change your address to your address. . .

      • by buzzn (811479)
        That'll teach me to not use angle brackets... I meant joe(randomnumber)trader@foo.com. Doh!
  • If a tape is missing, how do they know if it's been stolen? If a system is infected with a general purpose trojan, how do they know the extent to which the data was compromised, or if anything was downloaded at all? There would be a lot of false alarms if companies had to alert customers every time there was a possibility of data theft.

    But if you believe that sensitive data was probably stolen, then you should have to alert the people you believe were probably affected immediately. The only problem with thi
    • by dtfinch (661405) *
      I suppose that when data theft is confirmed, a fine could be levied in proportion to the time it took between the actual theft and its publication. That would encourage companies to report probable thefts, if the threat of fine is severe enough, while allowing them to keep the less probable breaches secret.
  • Sometimes, a company can only make a security threat worse by declaring the problem exists.

    Let's take a stolen laptop, for example. If Company A's suffers a laptop theft, and the laptop (for whatever stupid reason) has the personal data of thousands of customers or employees on it, how should that company respond? This is obviously an example of poor security to begin with (no one should have that kind of information on a laptop taken off the premises), but how do you keep a bad situation from getting wor
    • I'm not sure there's always a best way to handle these things - sometimes it could be informing everyone, at other times it could just mean scrutinizing accounts more closely while keeping everything quiet. It's a hard thing to balance.

      The same rule as always applies here-SECURITY THROUGH OBSCURITY DOES NOT WORK. You could be dealing with a couple of punk kids who randomly stole a laptop and are off at the first opportunity to pawn it-or you could be dealing with organized gangsters who know damn well w

  • by soren42 (700305) * <(j) (at) (son-kay.com)> on Saturday September 23, 2006 @12:37AM (#16165177) Homepage Journal
    So, according to Bill AB 424 [ca.gov] in the Great Sovereign State of California, any company negligent in the protection of customer identity data must immediately inform the offended party upon being made aware of the breach.

    I understand that there have been several attempts to leverage that law on behalf of US citizens who can't afford to live in California (us poor, ol' east coast folks!) to require major corporations transacting any business in California to immediately disclose based on that law.

    I'm sure there's jurisdictional issues, but there's at least some chance in hell that virtue jurisprudence will prevail.

    Anyone with an actual Litt.D, SJD, or otherwise more qualified care to add fact to my hype and speculation? :)
    • 32 states have similar laws [consumersunion.org]. Disclosure of identity data *only* may not be sufficient cause. But if you think there's an issue and you're in the proper jurisdiction, a letter to the firm copying the state attorney general might be helpful.
  • Get out of that broker now. Move all your assets to another broker. You don't want to have assets with a broker in trouble.

    I've been through a broker bankruptcy, and it's a huge hassle. Yes, you eventually get the assets back, but you may be trapped in a position and unable to trade out of it.

  • priorities (Score:4, Funny)

    by macadamia_harold (947445) on Saturday September 23, 2006 @12:40AM (#16165189) Homepage
    How soon should such a company let its customers know that their data has been compromised?

    that depends, how long does it take to finance a new ferrari and a yacht to ship it out of the country?
  • They should tell you right away so you can make any necessary changes to protect yourself, especially if the info compromised is a credit card or bank account number.
  • Notify Immediately (Score:3, Interesting)

    by ErichTheWebGuy (745925) on Saturday September 23, 2006 @12:55AM (#16165243) Homepage
    I bought a CD from an online store a few years back. They got hacked, and customers' credit card numbers were stolen. I got a call that same day from the store, saying that they were aware of a problem and that I should take measures to protect myself. I really appreciated that. I have gone back to them several times, because of their honesty with me, and also because of the borderline-paranoia about security that follows a successful attack/theft.
    • I bought a CD from an online store a few years back. They got hacked, and customers' credit card numbers were stolen. I got a call that same day from the store, saying that they were aware of a problem and that I should take measures to protect myself. I really appreciated that. I have gone back to them several times, because of their honesty with me, and also because of the borderline-paranoia about security that follows a successful attack/theft.

      Myself I'd run screaming from such an online store, and war

      • Myself I'd run screaming from such an online store, and warn everyone I know about how poorly they handle security and what little they do about it.

        They never should have been storing your credit card information on a public facing computer in the first place!

        Unfortunately, it's not as easy as that. The machine may not have been public facing at all, and a public facing machine that had some level of access to it was. Granted, there should be precautions to stop even this from happening, but it can be very,

  • I too have noticed an update in 'stock' related SPAM.
    When, I left my previous ISP host, netmegs.com, I immediately begin receiving spam on the address I used to correspond with them on.

    I just figured it was sour grapes for them and eventually began filtering that address.

    Recently, I begin receiving SPAM on 2 addresses that I use exclusively for my online trading account. At first, this made me thing there was a breach at by broker. Then I noticed that many other email addresses that I used to use fo
  • Are we talking here about Ameritrade? We used a dedicated email address when we registered with them a few years back and we started getting spam on that address maybe 2 or 3 months ago. I changed our email correspondence addresss just two weeks ago, and I'm hoping that the California law that requires companies to reveal identity theft security breaches will kick in and force Ameritrade to fess up if something bad had gone down.
  • by joeflies (529536) on Saturday September 23, 2006 @02:54AM (#16165671)
    Although this was JUST announced a few weeks ago, ANSI and the Better Business Bureau [ansi.org] are setting up a working group to define standards and best practices for how to address identity theft. The scope is to first catalogue what standards and best practices exist, and then go beyond and define what else needs to be documented.

    Whether or not this results in the answer to your question (how long notification should be given), at least this is a step in the right direction for some centralized thinking instead of everyone doing it on their own.

  • ...After the incident with Kivas Fajo, all of Federation's androids have been outfitted with a subspace alarm that goes off when the androids' signal is lost.
  • How soon is too soon? At all. For them, at least. There is no real reason for them to admit anything. They don't really lose a whole lot by not admitting things. A couple savvy users isn't really worth the cost of the bad PR. Yeah, ideally they'd let everyone know as soon as the possibility of a leak was made known to them, but this world doesn't run on ideals.

    True security only comes when it's in the best interests of the person for whom the security is a cost, particularly at a corporate level. I'm sure t
  • There's a long-running thread [spamgourmet.com] on the bbs for spamgourmet discussing a bunch of events like this -- spamgourmet users generally use a unique email address for each of their accounts, and so can quickly identify a problem (unless it was with spamgourmet itself, of course, but records so far show that hasn't happened). The response of the companies varies from complete denial and reticence to surprising accountability. None of it ever ended up in court, afaik.
  • > How soon should such a company let its customers know that their data has
    > been compromised?

    They will do so shortly after you go public with their name. Don't you think you should tell us who they are so we will know who not to do business with?
  • This has happened to my accounts, *twice*. TDAmeritrade [tdameritrade.com] and Interactive Brokers [interactivebrokers.com] have both compromised my one off email addresses for their systems to stock touts - not once, but TWICE. I changed the two one off email's in their systems after noticing the stock tout scum spam scams, only to have the two newly generated emails compromised yet again within weeks. I ask, what other information have they sold/stolen??? These clowns are protecting my life's savings in brokerage accounts, but can't even keep my e
  • Is it possible you're the victim of a dictionary attack? These days spammers are sending junk to $RANDOMNAME@knowndomainname.com. I've seen this on both big national ISP domain names and dinky domain names that I own. If your user name a common name and letter, it might be getting hit at random without any need for compromising your account.
  • On the part of companies to inform their customers when there is a security breach and that might compromise their information. That is something that, despite efforts by many security professionals, most companies still fall quite short in.

    Unfortunately, we as the customers are often the ones that suffer from company's attempts to always escape from this sort of thing unscathed.
  • The company you are dealing with (the broker), probably outsources its email list to some other company. That other company may be shady/aggressive, or it may be offshore, or some of its employees may pilfer the email addresses and sell them to spammers.

    That could be all there is.
  • This probably has nothing to do with your account. I started getting stock touting emails, and was suspicious that someone had sold my email address. However, now I get at least 1 a day on 5 different email accounts, including at work.

    I've heard these emails being cited as evidence that this or that brokerage, investor service, or whatever has been compromised. However, email addresses I never used to sign up for anything, internal email aliases at work, etc., are all being hit. The most reasonable expl

"No job too big; no fee too big!" -- Dr. Peter Venkman, "Ghost-busters"

Working...