Ameritrade Lawsuit Settlement Fails to Shed LightOn Massive Security Breach, Public Citizen Says

Sept. 2, 2008

Ameritrade Lawsuit Settlement Fails to Shed Light On Massive Security Breach, Public Citizen Says

Federal Court Should Reject Settlement, Order Firm to Reveal Details of Computer Data Theft

WASHINGTON, D.C. – Public Citizen has urged a federal judge to reject a lawsuit settlement    between TD Ameritrade and as many as six million of its clients, saying the deal does little to address a security breach that allowed hackers access to customers’ Social Security numbers, birth dates, account numbers and e-mail addresses.

Public Citizen filed the brief Friday afternoon in the U.S. District Court for the Northern District of California on behalf of its client, Matthew Elvey, an Ameritrade customer and lead plaintiff in the class action suit against the Internet stock-trading company.

Elvey, a San Francisco Bay area computer consultant, learned of the security breach when he started receiving spam at an e-mail address he used exclusively with his Ameritrade account. When he informed Ameritrade of the problem in November 2006, the company responded via e-mail that it was “conducting a thorough investigation into this matter.” What the company didn’t tell him was that it had been receiving similar complaints from other clients for more than a year.

Elvey opposes the settlement reached by the law firm handling the class-action case on behalf of Ameritrade customers. The proposed settlement requires Ameritrade to provide its clients with a one-year subscription to anti-spam software but does little else to acknowledge the security breach or to respond to customers who had been complaining for almost two years that their private account information was being stolen from the company.

The deal does not require Ameritrade to implement any new security practices or even reveal the extent of the breach and what, if anything, the company has done to fix the problem. To date, Ameritrade has acknowledged only that its clients’ e-mail addresses were compromised, while saying only that there is “no evidence” that any other information was taken.

“It’s absurd to think that hackers would steal e-mail addresses from Ameritrade’s data base, while ignoring more prized information, such as Social Security numbers and birth dates,” said Greg Beck, a Public Citizen lawyer working on the case. “The only people who benefit from this settlement are the plaintiffs’ lawyers – who will receive $1.8 million in fees – and Ameritrade officials who would rather pretend this security breach never happened.”

At about the time that the breach came to light, Elvey’s Social Security number was used in a fraudulent transaction. Elvey wants the judge to reject the settlement and thus keep up the pressure on Ameritrade to make information about the breach available to the public, including how it happened and what information was taken. A deposition of Ameritrade’s security chief has not been made part of the public record. Without access to this information, Elvey and other Ameritrade clients cannot assess the merits of the proposed settlement, Beck said.

“The least Ameritrade can do is be honest with its clients about what went wrong and what it has done to fix the problem,” said California attorney Mark A. Chavez, who is representing Elvey with Public Citizen.

READ the brief.

###