Data Theft Notifications - How Soon is Too Soon? 137
bsdbigot asks: "I started getting a bunch of stock-tout spam in the last month or so. The other day, I happened to look and see it was coming in to an email address I had dedicated to my online trading account account. I've spoken to the online trading company, and I've given them the info on these spams. It turns out there is an 'ongoing investigation,' which includes 'outside agencies,' but they stop short of saying that there is any theft or breach. How soon should such a company let its customers know that their data has been compromised? Should they wait until they have all the details and have plugged the breach, or should they let customers know that there is a possible problem as soon as they recognize it?"
"Personally, I believe a security breach has occurred. So, I asked them how many people are affected by this; they feel certain that it's an isolated problem, because they haven't received a deluge of complaints. They don't know how these spammers got my reserved email address from my online broker (but they didn't sell it, they are quite clear on that), so how can they be so certain it's not their entire database, and how can they be so sure that things like my SSN and bank routing information wasn't also stolen?"
Do more (Score:4, Insightful)
Re: (Score:3, Funny)
Re:Do more (Score:4, Insightful)
Re:Do more (Score:4, Insightful)
For companies and agencies that have to have highly sensitive information like SSN's on file, there should be an exceptionally small number of people who have access to that information. A small enough number that I can count them on one hand. And none of those people should ever be allowed to take any portion of that list out of the system in any way, not on a thumb drive, not on a laptop, nothing. The vast majority of the employees should only be able to access the last 4 numbers of any given person for varification purposes.
Comment removed (Score:4, Insightful)
Re: (Score:2)
In this day and age, the answer is Yes. Names change - people get married, divorced, decide to use Chuck or Charly instead of Charles. People move. Matching things up on these two - name and address - works 99.9% of the time (with a little effort) - but isn't absolute. SSN (and SIN for those in the Maple Leaf state) allows a match for that final 0.1% percent. (Yes, SSN change occasionally too, but
Re: (Score:3, Informative)
Your bank reports capital gains on your accounts to the IRS. They need your SSN. If you don't give it to them, they probably won't give you an account.
Re: (Score:1)
Re: (Score:2)
They said capital gains tax, not income tax. Your bank, mortgage broker, etc would be much more likely to know about your capital gains than your employer.
Re: (Score:2)
And who's going to enforce this rule ?
It is impossible to design a system that is immune to corruption, especially if the designers/maintainers themselves could possibly be prone to it. The only solution is to pay enough money to your employees that they don't want to risk their job, and treat them well enough that they don't want to screw you -
Re: (Score:2)
I never said it should be a rule/law or anything like that. However, I think it's a policy that corporations / gov't agencies / universities should get through their thick skulls, and the only way that's going to happen is if the consumer gets fed up enough to do something about it. Losing customer's private information is not acceptable. Ever. When I was in college, I had to argue with one of my teachers to keep her from posting my SSN on the wall in the hallway wi
Re: (Score:2)
You missed my point. If there's a corporate policy that only select few may access the data, then there must be someone who enforces this policy and keeps everyone not authorized to access the data from accessing it. Who guar
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That's easy to say, but it's really not so simple. Some data leaks happen because of software issues.
It is actually simple, it is about priorities. Business says "Gotta have that (insecure unstable) app at all costs". Security says "It is a big risk". Management derates security over a vendor lunch until a breach occurs. Senior management does a knee jerk. Repeat until lesson learned or out of business.
Hiring more trustworthy employees requires paying more money
Very true, yet you get a drug test b
Re: (Score:3, Interesting)
Employees and contractors coming in contact with money, financial data (of which SSN is one piece), and any other customer data should be bonded. That is not a perfect solution, but a good first step. Try working in a bank branch without being bonded -- probably not going to happen. Banks know there's a lot at risk (and the government probably req
Re: (Score:2)
Turns out someone misconfigured a mailserver and someone was able to havest the email acounts for all the domains configured on the server. The other problem was traced to some bullshit E-Greeting card that my girlfriend devided to open when she checked her mail. Several weeks after the problem started on that address, the same E-card she sent me was implicate
Re: (Score:1)
Hmmmmm....
Safe/sorry (Score:5, Informative)
File complaints with the federal and your state Attorney Generals against the trading company immediately. Consider a 6-month paid monitoring service from a major credit reporting bureau. Both the feds and your state will have advisory hotlines. IANAL and slashdot is not the place you want to go for this kind of information. Basically, don't fsck around if you think anything has been compromised.
I've been there, and these steps cost me a few dollars but saved me tens of thousands. Overseas types are pretty damned creative with your numbers. paranoid != not out to get you.
Re: (Score:1)
So what are you saying? American fraudsters are dumb?
Maybe someone should start a campaign to get them up to the same level of skill as those from other countries. Or is this more of a reflection of the level of education.
Anyone going to start offering college courses in electronic fraud. If you do, don't accept any form of payment except cash.
Re: (Score:2)
Re: (Score:1)
Is Canada overseas? How about Mexico? Columbia? It's a fairly big co
Re: (Score:1)
With [slashdot.org] how [slashdot.org] often [slashdot.org] it's [slashdot.org] happening [slashdot.org], it may already be paid for for him.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
I went to
This is overkill (Score:2)
Think about it, if you are some bad guy with the complete customer records of XXX,000 brokerage customers, what are YOU going to do with it? Send out a measly XXX,000 e-mails touting some worthless stock, or just steal the money out of the checking accounts outright?
To me, this sounds like some greedy m
It's already too late (Score:1, Interesting)
Kudos to you! I'm surprised that you have gotten as much information from them as you have. When a breach occurs, a company's first response is always to circle the wagons and cover up the mishap a soon as possible. This means keeping the bad press from anyone that doesn't already know, especially including the people in their customer service department who could let a thing like this slip.
But in answer to your quest
Plug the hole first (Score:4, Interesting)
As soon as it becomes public knowledge that they've got a vulnerability somewhere, the number of people poking around their interface attempting to stumble upon that hole (or other ones) will skyrocket. Better to fix known problems before they essentially invite the community to look for chinks in their armor. That said, as soon as any known holes are patched, they should inform the affected users; or, if they can't determine whose information was nabbed, they should alert all of their customers.
Keep in mind that no matter how suspicious the circumstances, unless you use that email address solely for your brokerage account, there's really no way to prove a connection unless the company admits it. A friend of mine started playing online poker, used his email address to sign up for the site, and doesn't get any poker spam. A week or so later, his wife started getting a ton of poker-related spam at her email address. It's just a coincidence, though it's about impossible to convince her of that.
I've seen a huge uptick in stock spam lately, across the board (I have a number of email accounts and only one of them is tied to a brokerage). Maybe you're just on the same spam lists
D'oh! (Score:2)
Re: (Score:2)
The argument that they need time to fix the system before disclosing is a common one from places that don't care about security; they hate full-disclosure lists, favor only vendor disclosure, etc. And the "we need time to fix it" argument is a core part of their anti-security stance; it ign
How stupid is E*Trade? (Score:5, Interesting)
Like the article-poster I'm one of those guys who uses individualized addresses for each online entity they deal with, as in slashdot thinks my email is slashdot@mydomain.com, amazon thinks it is amazon@mydomain.com and etrade thinks it is etrade@mydomain.com - those examples are simplified for illustrative purposes.
A while back, before the bubble burst, I dabbled in some options trading in my etrade account. Therefore, Etrade's marketing department decided that would make my contact information something they could sell to the CBOE and I started getting bi-weekly spam from somebody on behalf of the CBOE trying to sell me all kinds of bullshit options information -- all sent to my etrade-only address.
After about a year of that crap, it finally stopped on its own. But then I started to get spam from the same mailing-list operator that the CBOE had used, but this time they were promoting other brokerages like TD Waterhouse, and most recently "TradeKing" which seems very questionable.
Whenever I get one these brokerage spams, I have to laugh. Etrade breached my privacy to make a buck or two and I'm sure they did the same thing to tens of thousands of other customers. But the end result is that their competition now has a confirmed mailing list of etrade customers, and the stupid greedy bastards GAVE it to them.
I've since opened an account with TD Waterhouse (aka Ameritrade) and make most of my trades through them, in part because of etrade's callous treatment of my privacy. I wonder how many others have done the same...
Re:How stupid is E*Trade? (Score:5, Informative)
Re: (Score:2)
The problem is that at least 1/2 of the services on the web will consider this an invalid address (despite it being perfectly valid). Very annoying.
Re: (Score:3, Insightful)
stripping * after + (Score:1)
Re: (Score:2)
Re: (Score:2)
Down sides: creating a new address is more involved; if you don't control your own DNS servers, you have to wait for the zone to reload. I've scripted most of this so that I can set up a new one in under a minute.
Up side: when an address is abused, you just yank th
Re: (Score:2)
Re: (Score:2)
That would mean his server still has to respond to the spam. His way, the spammer's DNS lookup of the domain fails and there's absolutely no effort on his part to deal with the deluge of spam to that address.
As stupid as Ameritrade (Score:2, Informative)
Ameritrade/TD-W also let its email addresses out, too. My specifically-for-Ameritrade email address got vanilla (same type as my other accounts; not investing at all) spam. So I changed it. Again.
DT
Re: (Score:3, Interesting)
I do the same thing. So, I'll get to the point quickly...
The email address that I use for my Hertz rental membership has been distributed to spammers, twice. The first time, I sent a complaint and after a while I got a patronizing response about how it couldn't be them, and was instead someone else to whom I had given the address. It must have been a form response, as I had alr
Re: (Score:1)
Well that wouldn't be technically difficult, but most ISPs that I have experience with work VERY hard to prevent people from doing this and you would be an idiot to use this resource to steal email address's. The more prudent thing to do if you had
Re: (Score:1)
I've since opened an account with TD Waterhouse (aka Ameritrade) and make most of my trades through them, in part because of etrade's callous treatment of my privacy. I wonder how many others have done the same...
That's ironic, because the email account I used for Ameritrade only became the target of pump and dump spam.
To give them some of the benefit of doubt, it was ameritrade@somedomain.com. I wouldn't be surprised if the pump and dumpers use similar addressesfor all the domains they spam.
Re: (Score:2)
Re: (Score:2)
"I've since opened an account with TD Waterhouse"
So you have done buisness with a company knowing that they advertise by spam.
I do give you some credit, a 5 minute search failed to yield an email address though you are an avid Slashdot poster and a home theatre afficionado.
Still. WTF man
Re: (Score:1)
Depends on how you look at it. Although I use the term spam loosely, I blame etrade for giving my address away in the first place, not the mailing list operator for using it - as far as I know, they have every right to think it is legit since they got it officially from etrade. If I were to interpret it strictly, I would never trade options either as it was the CBOE itself that first spammed me via etrade.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I used to buy a lot of stuff from Lands End. Then I got poor for a while, and switched to cheaper sources. Now I'm rich again, and I returned to my khaki addiction. During the interim, Lands End was bough
I got that too (Score:1, Interesting)
--
Explosive pick for our members.
A massive PR campaign is starting now! MAJOR NEWS!!!
Trade Date: Monday September 18, 2006
Company: LAS VEGAS RESERVATIONS
Ticker: LVCC
Current price: $1.25
5-day Target: $4.00-$6.00
Get In N
Comment removed (Score:3, Insightful)
Re: (Score:3, Informative)
Re: (Score:1)
Re: (Score:2)
Credit card info and passwords will be encrypted, if a user is taking any precautions at all.
However, most connections between MTAs (Message Transfer Agents like Sendmail, Postfix, etc.) are not encrypted. My Postfix server offers TLS to a
This has happened to me before... (Score:2)
I NEVER type these addresses anywhere, and they are not something a wide net spam sender would guess...
Over the last few years i have had about 4 situations where those very account specific addresses began receiving a LOT of spam.
The sites included Dell, and PCMall. The PCMall ones very primarily sexual in nature...
I have thought of every possible way they could have gotten that addre
Re: (Score:2)
Re: (Score:2)
> partner companies.
Same thing.
Re: (Score:2)
You think that nobody has ever come up with this idea before, creating unique mailboxes for various relationships? I've been doing it for 6 or 7 years, and I've taught dozens others the same idea. I probably got the idea from someone else or an article I read online or in print. But regardless, it is a simple and logical scheme that some savvy spammers are bound to figure out on their own (more so now
Re: (Score:2)
anyone else experience this before?
Yeah, my wife and I both use Macs at home ("Rick, you work with Windows every day at work; w
Dictionary attacks? (Score:2)
Are we talking about Ameritrade? (Score:4, Informative)
"I started getting a bunch of stock-tout spam in the last month or so. The other day, I happened to look and see it was coming in to an email address I had dedicated to my online trading account account. I've spoken to the online trading company, and I've given them the info on these spams. It turns out there is an 'ongoing investigation,'
Is the trading company called Ameritrade by any chance? They got a leak problem, maybe an insider job. Look at this thread on spamgourmet (an anti-spam site that I help with): http://bbs.spamgourmet.com/viewtopic.php?t=81&star t=60 [spamgourmet.com]
Re: (Score:3, Funny)
Damn, I went there looking for recipes. Please stop using misleading domain names.
'ongoing investigation'? (Score:1)
Immediate but reserved (Score:2)
certain laws may apply (Score:3, Informative)
Oops (Score:2)
Pending Federal Laws on data theft may preempt (Score:1)
Another concern raised is that many companies don't even realize they've been hacked. "Data breach notification laws assume companies are able to detect the loss of personal data in the first place and then determine if lost data contained personally identifiable information.|LLB [typepad.com]|"
The post cites to a recent P [ponemon.org]
I'm a vet (Score:1, Troll)
Then I get a letter that says "Never mind."
I really do believe that the Feds have begun to channel Rosanne Rosanna-Danna.
Oh. PS from the Feds: "We still really hate you. Please die soon. Quietly."
How soon is too soon??? (Score:2)
VMWare too (Score:1)
Sneakemail users will recognize the format in the From line:
Recei
How do you know? (Score:1)
Re: (Score:2)
I agree.
Change your address to your address. . .
Re: (Score:1)
Sometimes hard to tell (Score:2)
But if you believe that sensitive data was probably stolen, then you should have to alert the people you believe were probably affected immediately. The only problem with thi
Re: (Score:2)
It's a balancing game... (Score:2)
Let's take a stolen laptop, for example. If Company A's suffers a laptop theft, and the laptop (for whatever stupid reason) has the personal data of thousands of customers or employees on it, how should that company respond? This is obviously an example of poor security to begin with (no one should have that kind of information on a laptop taken off the premises), but how do you keep a bad situation from getting wor
Re: (Score:2)
I'm not sure there's always a best way to handle these things - sometimes it could be informing everyone, at other times it could just mean scrutinizing accounts more closely while keeping everything quiet. It's a hard thing to balance.
The same rule as always applies here-SECURITY THROUGH OBSCURITY DOES NOT WORK. You could be dealing with a couple of punk kids who randomly stole a laptop and are off at the first opportunity to pawn it-or you could be dealing with organized gangsters who know damn well w
Are they incorporated in California??? (Score:3, Interesting)
I understand that there have been several attempts to leverage that law on behalf of US citizens who can't afford to live in California (us poor, ol' east coast folks!) to require major corporations transacting any business in California to immediately disclose based on that law.
I'm sure there's jurisdictional issues, but there's at least some chance in hell that virtue jurisprudence will prevail.
Anyone with an actual Litt.D, SJD, or otherwise more qualified care to add fact to my hype and speculation?
Re: (Score:2)
Transfer your account to another broker. Now. (Score:2)
Get out of that broker now. Move all your assets to another broker. You don't want to have assets with a broker in trouble.
I've been through a broker bankruptcy, and it's a huge hassle. Yes, you eventually get the assets back, but you may be trapped in a position and unable to trade out of it.
priorities (Score:4, Funny)
that depends, how long does it take to finance a new ferrari and a yacht to ship it out of the country?
Immediately (Score:1)
Notify Immediately (Score:3, Interesting)
Re: (Score:2)
Myself I'd run screaming from such an online store, and war
Re: (Score:1)
Unfortunately, it's not as easy as that. The machine may not have been public facing at all, and a public facing machine that had some level of access to it was. Granted, there should be precautions to stop even this from happening, but it can be very,
Uptick in Stock SPAM, ISP Sold My Address (Score:1)
When, I left my previous ISP host, netmegs.com, I immediately begin receiving spam on the address I used to correspond with them on.
I just figured it was sour grapes for them and eventually began filtering that address.
Recently, I begin receiving SPAM on 2 addresses that I use exclusively for my online trading account. At first, this made me thing there was a breach at by broker. Then I noticed that many other email addresses that I used to use fo
Ameritrade? (Score:1)
ANSI and BBB Standards (Score:3, Informative)
Whether or not this results in the answer to your question (how long notification should be given), at least this is a step in the right direction for some centralized thinking instead of everyone doing it on their own.
It's not possible to steal Data. (Score:1, Offtopic)
Why should they care? (Score:2)
True security only comes when it's in the best interests of the person for whom the security is a cost, particularly at a corporate level. I'm sure t
disposable addresses (Score:2)
Now Is Not Soon Enough (Score:2)
> been compromised?
They will do so shortly after you go public with their name. Don't you think you should tell us who they are so we will know who not to do business with?
Same thing, two high profile brokers... (Score:1)
Dictionary Attack? (Score:2)
There should be more effort (Score:1)
Unfortunately, we as the customers are often the ones that suffer from company's attempts to always escape from this sort of thing unscathed.
Not necessarily data theft (Score:2)
That could be all there is.
This probably has nothing to do with your account (Score:1)
I've heard these emails being cited as evidence that this or that brokerage, investor service, or whatever has been compromised. However, email addresses I never used to sign up for anything, internal email aliases at work, etc., are all being hit. The most reasonable expl
Re: (Score:1)
I also had the same problem with match.com(as has my brother, who