Settlement Proposed In Ameritrade Data Breach Lawsuit

Written by Evan Schuman
June 13th, 2008

After admitting it had security holes that allowed a security breach of more than 6.2 million customers, attorneys for TD Ameritrade this week agreed to a settlement of a class action lawsuit.

(Editor’s Note: This story has been updated, with the judge on Friday rejecting the settlement.)

The 74-page settlement outlined several efforts by Ameritrade, but it did not include any cash payments to the consumers who sued the company. Among the agreements were that Ameritrade will warn consumers about investment SPAM, pay for limited security testing, seed E-mail accounts seeking violators, pay $20,000 to the Honeynet Project and $35,000 to the National Cyber Forensics and Training Alliance as well as buy some of the impacted consumers a one-year license for an Ameritrade-selected anti-SPAM software package.

Although all but three of the consumer plaintiffs will not receive any cash payment, the settlement suggests a $1.87 million payment for attorneys’ fees plus $9,000 for expense reimbursement. The three class representative plaintiffs—consumers who brought the original case and researched and worked the issues—will get paid, with Matthew Elvey receiving $10,000 and Brad Zigler and Joel Griffiths each getting $1,000.

Compared with some of the other major data breaches in the last few years—such as the classic TJX incident–the Ameritrade breach seemed to involve much more mild provable damage. Unlike the credit card information involved in TJX, for example, the only information that Ameritrade has confirmed intruders got were names, E-mail addresses, phone numbers and physical addresses. Unlike bogus payment card charges, the damages here were confined mostly to consumers receiving investment E-mail SPAM, although the potential for identity theft still exists.

Mark Rasch, an attorney who specializes in data fraud cases and who is the former head of the U.S. Justice Department’s white-collar crime unit, said the weakness of provable damages in the Ameritrade case made the settlement appropriate.

"It’s hard for the plaintiffs to demonstrate any actual damages other than annoyance or aggravation," Rasch said. "This kind of information (loss) doesn’t mean you’ve won the lottery and doesn’t mean you deserve a giant check from the company."

One of the lead attorneys for the consumer plaintiffs, Ethan Preston, said he thought it was "a great settlement," primarily because the initial lawsuit pushed Ameritrade into disclosing the breach.

The problem is that the disclosure didn’t include any specifics of the breach, including the nature of Ameritrade’s security at the time. If, for example, Ameritrade’s disclosure was specific enough to allow IT leaders at other companies to prevent this kind of breach from hitting them, that could be a public benefit.

The second advantage to such a detailed disclosure is also the reason it didn’t happen. There are two extreme possibilities and many in-between scenarios. The cautious extreme is that Ameritrade’s defenses were beyond industry standards, that no major security holes existed and that the cyber-thieves were especially creative and resourceful. The reckless extreme is the opposite, that Ameritrade had many obvious security holes and that its protections were sloppy in the extreme. Therefore, a detailed disclosure could open Ameritrade to other lawsuits by consumers complaining about weak security.

U.S. District Court Chief Judge Vaughn R. Walker, hearing the attorneys present the settlement in his San Francisco courtroom Thursday (June 12), didn’t make a ruling, but he did question how much money Ameritrade was paying for the anti-SPAM software licenses it would be giving out. Ameritrade lawyer Lee Rubin said Ameritrade was paying "significantly less" than retail value for the Security Pro software, according to this Wired story.


One Comment | Read Settlement Proposed In Ameritrade Data Breach Lawsuit

  1. Matthew Elvey Says:

    From AMTD’s press release: “TD AMERITRADE Holding Corporation (NASDAQ:AMTD) has discovered … unauthorized code …
    that allowed access to an internal database. … While more sensitive information like account numbers, date of birth and Social Security Numbers (SSNs) is stored in this database,
    there is no evidence that it was taken.” There is no evidence it was not taken either. We know the data was in a ‘compromised’ database, so it in fact WAS ‘compromised’. AMTD is simply claiming that it’s possible that the criminals that broke in and stole the email addresses left the SSNs. AMTD itself has provided no evidence that email addresses, names, addresses or phone numbers were retrieved from this database either. In other words, the only evidence of the latter is the spam itself (provided by AMTD customers). Essentially, AMTD is claiming that it’s plausible that crooks breaking into the equivalent of Fort Knox would leave the gold (the Social Security Numbers) and just take the silver (the email addresses).

    Given these facts, I don’t see how you or Mark Rasch can claim that the breach is less serious than the TJX breach, which merely involved credit card numbers, not social security numbers.

    For more, see my blog about the case:

    -Matthew Elvey (the plaintiff)


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.