Ameritrade is missing one of their backup tapes. If you have not heard about the details, you can find the story here. I have some real problems with a couple of things from this story, mainly what spokeswoman Donna Kush said:
"We feel like we acted in a timely fashion, " Kush said. "This was not an Ameritrade Systems issue or a compromise of our technology. This was related to a third party vendor."
It’s long been said that security in the IT industry will not improve until companies are held culpable. This will take even longer if they become better at shifting the blame onto someone else. Are there really people out there that believe giving unencrypted data backups of customer’s personal and financial data to a third party is not bad thing? But wait, it gets better:
Ameritrade has reviewed the customer information that would be on the missing back-up tape and has decided that only 175,000 of those customers needed to be notified, in accordance with industry standards. The company began sending letters to those customers last week.
I’m sorry, but I must have been absent for the past 10 years. What are the industry standards regarding theft of data that could endanger innocent paying customers? I have consulted with a few companies after they have found out they had a breach. The only discussions on disclosure that I can remember came in the form of vague threats in meetings with lawyers to review the terms of my NDA agreement after they have realized the severity of the breach. Combine that little tidbit of knowledge with the fact that it happened in February and we are just now hearing about it at the end of April means one of two things to me, they are either A) after desperately trying to recover the missing backup tape they realized it was hopeless and they should be a good corporate citizen and disclose this information to affected customers, or B) they know it is or will be miss used and it is easier to disclose now and claim no fault rather it look like they are shifting blame when it becomes a problem.
The last part just made me laugh:
…the missing back-up tape contained compressed data that would require very advanced computer systems to access.
We all know how wily that damn compressed data can be….