RSS FeedSecurity

Chocolate is better than antivirus software in settling data breach cases

Antivirus software can't stop someone's identity from being stolen

By | Computerworld US | Published 14:00,

I was pleasantly surprised when I read last week that a judge refused TD Ameritrade's laughable settlement offer for the compromise of millions of accounts. TD Ameritrade's proposed settlement would have done nothing for the victims of the breach. I just wish the judge had indicated that he really understands something about computer security.

In September 2007, Ameritrade announced that the names, addresses, phone numbers and trading information of as many as all of its more than 6 million retail and institutional customers at that time had been compromised by an intrusion into one of its databases. The stolen information was later used to spam those customers. Did that hack result in a more serious compromise?

Also in this channel
Related Articles

 

Virtualisation, Big Data and BYOD

Check out our Business IT Hub for opinions and briefings. Read more

Only the criminal knows the full extent of what he did. But there was definitely a breach, and anytime customer data is compromised, the customers are at risk. That's why some enterprising lawyer put together a class-action lawsuit, leading to the ruling this week.

TD Ameritrade's offer came down to proposing that it hire a firm to determine who, if anyone, suffered more serious compromises. It would then give those customers a one-year licence for antivirus software. It also proposed performing a penetration test to look for other potential vulnerabilities.

I hope you weren't drinking anything when you read that; I told you the offer was laughable. Let's get the obvious out of the way first. It is nearly impossible to definitively figure out whether a particular identity theft was the result of a specific breach. Sadly, there are just too many breaches in the world to do that. By requiring this proof, TD Ameritrade seemed to be trying to eliminate all potential victims.

If anything, the offer of antivirus software is even more ridiculous. There is absolutely no way that antivirus software can stop someone's identity from being stolen if a criminal already has all of their identifying information. TD Ameritrade might as well give each victim a box of chocolates, which might at least help relieve the stress of having their credit ruined.

I am heartened that US District Court Judge Vaughn Walker in San Francisco seems to have recognised to some extent that TD Ameritrade was attempting to get away with doing what amounts to nothing for its customers. In his 13-page ruling, Walker described the additional security measures that Ameritrade proposed as "routine practices" that any reputable company should be taking anyway.

Nonetheless, I'm a bit leery that he added: "Penetration tests provide a reliable way for companies to detect the sort of security weaknesses that led to the Ameritrade breach." That just isn't true.

1 2 continued on page 2 »

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

HP Business Answers

Join the discussion today

The HP Business Answers group is a vibrant community of small and medium sized business owners and employees. HP provides independent and expert advice in fields such as design, branding, taxation, technology, marketing or manufacturing so join today to network with over 6500 like-minded professionals.

Join the HP Business Answers Linkedin Community

Read the most recent discussions

Read more at the HP Business Answers Linkedin Community

ComputerWorldUK Resources

ComputerworldUK
Share
x
Open
* *