I was pleasantly surprised when I read last week that a judge refused TD Ameritrade's laughable settlement offer for the compromise of millions of accounts. TD Ameritrade's proposed settlement would have done nothing for the victims of the breach. I just wish the judge had indicated that he really understands something about computer security.
In September 2007, Ameritrade announced that the names, addresses, phone numbers and trading information of as many as all of its more than 6 million retail and institutional customers at that time had been compromised by an intrusion into one of its databases. The stolen information was later used to spam those customers. Did that hack result in a more serious compromise?
Only the criminal knows the full extent of what he did. But there was definitely a breach, and anytime customer data is compromised, the customers are at risk. That's why some enterprising lawyer put together a class-action lawsuit, leading to the ruling this week.
TD Ameritrade's offer came down to proposing that it hire a firm to determine who, if anyone, suffered more serious compromises. It would then give those customers a one-year licence for antivirus software. It also proposed performing a penetration test to look for other potential vulnerabilities.
I hope you weren't drinking anything when you read that; I told you the offer was laughable. Let's get the obvious out of the way first. It is nearly impossible to definitively figure out whether a particular identity theft was the result of a specific breach. Sadly, there are just too many breaches in the world to do that. By requiring this proof, TD Ameritrade seemed to be trying to eliminate all potential victims.
If anything, the offer of antivirus software is even more ridiculous. There is absolutely no way that antivirus software can stop someone's identity from being stolen if a criminal already has all of their identifying information. TD Ameritrade might as well give each victim a box of chocolates, which might at least help relieve the stress of having their credit ruined.
I am heartened that US District Court Judge Vaughn Walker in San Francisco seems to have recognised to some extent that TD Ameritrade was attempting to get away with doing what amounts to nothing for its customers. In his 13-page ruling, Walker described the additional security measures that Ameritrade proposed as "routine practices" that any reputable company should be taking anyway.
Nonetheless, I'm a bit leery that he added: "Penetration tests provide a reliable way for companies to detect the sort of security weaknesses that led to the Ameritrade breach." That just isn't true.