The TD Ameritrade incident of 2007 hasn’t quite been resolved -- yet. While the breach may have been contained, the litigation is still ongoing. A class action suit field in California in May of 2007 has reached a preliminary settlement, but the settlement is contested by the individual who filed the class in the first place and has been through some extremely interesting twists and turns.
The case was filed in May of 2007, with a complaint that claimed that TD Ameritrade was essentially selling email addresses of clients to spammers, in violation of TD Ameritrade’s privacy policies and various laws.
A motion for a preliminary injunction kicked things into gear in July 2007, which alleged that the spam was still ongoing, and demanded that TD Ameritrade take steps to protect members of the class (TD Ameritrade customers). The fact that the incident was still ongoing at the time of the injunction was later confirmed in testimony, and it would seem from interpreting the various testimonies in the case that the breach was mitigated “on or about August 14th, 2007”.
Sometime thereafter, TD Ameritrade acknowledged that it had in fact been "hacked", and that the hacker had access to names and email addresses. During the disclosure (via a letter to customers), TD Ameritrade also acknowledged that the database that had been breached also contained Social Security numbers, but that TD Ameritrade had no evidence that Social Security numbers had been taken. This spawned another lawsuit: Brad Zigler v. TD Ameritrade. The complaint in this new lawsuit went beyond the spam aspect, and brought into view the potential compromise of Social Security numbers as well. In December of 2007, the two cases became officially related.
In early 2008, a new judge was assigned to the case. Several months later, the two cases merged, and a request to have a settlement approved was filed by the plaintiffs (on May 30, 2008). Both sides seemed in agreement at the time. Days later, at a proceeding, that agreement appeared to have dissolved. One of the class representatives, Matthew Elvey, the individual who had originally filed the case in May 2007, opposed the settlement -- even though he had signed it days prior. Mr. Elvey stated that he had been threatened, which is why he agreed to sign the settlement. His opposition claimed that the settlement was not fair, that he had been an identity theft victim as a result of the TD Ameritrade breach, and that some of the reasoning behind the decision to settle was flawed. During the same court hearing, one of the most significantly discussed “reasons” for settling was the results of an “organized misuse” analysis, which was done by a third party organization, ID Analytics. This reason was particularly opposed by Mr. Elvey.
Now, before we dig into “organized misuse”, we should first look at how one might assume a traditional investigation into a data breach would proceed. One would suppose that both during and after a breach, an organization experiencing the breach would first try to stop and contain it, try to assess what exactly occurred, and then understand what was accessible, accessed, potentially lost, and confirmed as lost. In containing the breach, one might assume an organization would act swiftly, yet carefully. In assessing the scope, one might think an organization would look to internal security systems to make determinations -- networklogs, system logs, audit logs, and transaction logs. An organization might also contract with a firm with forensic expertise to assist in making determinations and provide further analysis. Supposedly, this sort of analysis did occur. The "security officer" responsible at TD Ameritrade, Willliam Edwards, gave a deposition regarding the details of the breach, which became sealed for "attorney's eyes only". We can't conclude much at all from this, however. But back to the hypothetical, what if the aforementioned “expected” protocol didn’t provide sufficient information, or perhaps didn’t provide “ideal” conclusions? More alternatively, what if those conclusions did not give the organization the answer it wanted to hear?
Fortunately, there’s another option: a now nearly court-proven way to gain intelligence into the matter... in comes an “organized misuse” analysis. Companies, with what appears to be access to and/or partnerships with credit bureaus, can run some form of pattern analysis to determine whether or not identity theft is linked with a given organization, population, or sample. Presumably, they analyze occurrences of ID thefts in a sample, and determine whether or not the samples show a higher occurrence of ID theft than a baseline sample/population (no doubt via some fancy math and other complicated stuff.)
Where this all gets interesting is that when the TD Ameritrade incident was originally disclosed, there was no mention of Social Security numbers being affected. OSF did not include it as a data type, nor did we find any indication in any reports regarding the incident that they had been included. In the process of fighting this class action suit, however, TD Ameritrade used an outside firm to run this “organized misuse” analysis, which came back as “negative”. TD Ameritrade could have simply said that Social Security numbers were not accessible, but they didn’t, which would imply that they were indeed accessible to the intruders. Nowhere in any of the documents we reviewed did we find any denial of this, and in fact, in many instances they confirmed that “Social Security numbers were in the database”.
That statement is very different from TD Ameritrade *outright* saying that Social Security numbers were accessible. It could have been that the nature of the compromise exposed a database view, and that Social Security numbers were not accessible to that view. Had that been the case, saying that they were not accessible seems like a stronger defense than going through an expensive “organized misuse” analysis process. It would seem evident that proving there were logical or physical gates in place that separated the data, and thus made it inaccessible, would have been a less expensive and more convincing an argument to make, but no actual attempt was made to refute accessibility. From that, it does not seem a far stretch to assume that the numbers were accessible.
Even still, it seems that relying on “organized misuse” analytics as some sort of "proof" that a breach of Social Security numbers did not occur is a bit curious, and also possibly a logical fallacy. For one, it would only be reliable at the point in time when it was concluded, and actually might only be representative of a point in time months prior given the delay with which credit data is populated. It could never definitively conclude that a breach of identities did not occur, given that there could simply be the case that the stolen identities hadn’t been sold or otherwise abused at the time of the analysis. Given the permanent nature of identities and specifically, Social Security numbers, it also does not seem implausible that an identity thief might “hold on” to their find for some duration prior to capitalizing on it as a way of “laundering” the identities. Granted, this is speculative, but so is the presumption that since no evidence of "organized misuse" exists, Social Security numbers had not been compromised.
Regardless, the settlement would have essentially consisted of the following:
- TD Ameritrade would post notices 4 times in the year, for 1 week each, regarding the incident.
- Members of the class would get a free 1 year subscription for Trend Micro Internet Security Pro (retail value $69.96). The software was to address the spam that came as a result of the disclosure of TD Ameritrade customers' email addresses.
- TD Ameritrade would commit to twice yearly external penetration testing.
- TD Ameritrade would perform account seeding to detect compromise of email accounts.
- Class members would give up their right to form another class action lawsuit, but could pursue TD Ameritrade as individuals if identity theft did occur as a result of the breach.
- TD Ameritrade would donate $20,000 to the Honeynet Project, and $35,000 to the National Cyber Forensics and Training Alliance.
- TD Ameritrade would cover all legal expenses of the case incurred by the class.
- A settlement notice would be posted in USA Today.
Elvey retained additional counsel to oppose the settlement that he and his original counsel had signed. Over the course of several months, and several court appearances, the plaintiff and the defendant seemed to "buddy up" to some degree, while Elvey continued to oppose with his new representation. Elvey had all but seemed discredited when, in late 2008, the Texas Attorney General jumped in on behalf of a stated near half-million Texans represented in the class. The Texas AG had the following to say (as summarized by the judge):
- the proposed settlement agreement offered “no meaningful relief to the class members”;
- the award of proposed fees to class counsel was excessive;
- the proposed settlement failed to address the harm of identity theft adequately;
- the proposed release was too broad;
- The Texas Attorney General contended that the settlement was essentially worthless because the “warning” to be placed on the TD Ameritrade website would largely go unseen by consumers most vulnerable to stock spam;
- the security measures TD Ameritrade agreed to conduct should have been conducted by “any reputable company” anyway;
- the coupon for security software was of little value because similar software was largely available to most Internet users for free or at low cost;
- the Texas Attorney General noted that the class members were to receive no monetary recovery while the proposed attorney fee award for class counsel was substantial —— $1.87 million;
- the proposed settlement agreement did not address adequately the potential harm to class members from identity theft;
- the Texas Attorney General further argued that the settlement agreement should make clear that the individuals who engaged in the unauthorized access are not “Released Parties” and “Releasing Parties” should be amended to make clear that government entities such as the Texas Attorney General has not released any claims to relief related to this security breach;
These oppositions were strong, and spun off months of additional negotiations between the plaintiff, the defendant, and the Texas AG's office. The revamped settlement, which won the approval of the Texas AG, was a slightly improved version. It emphasized somewhat more the risk of ID theft from the breach, and also removed or revamped some of the limits that class members would have had imposed on them for additional suits, but substantively didn't really alter much.
What it did change was that it created a new argument for the defendant and the plaintiff: "The Texas AG signed off...", which sealed the deal and seemed to outweigh any opposition to the settlement by Mr. Elvey. The revised settlement was "preliminarily approved", on May 1st, 2009, bringing the class action suit a big leap forward towards conclusion.
In all, this is a fascinating case, which begs several questions: why is this "organized misuse" so convincing? What is so confidential about the deposition given by Mr. Edwards? It was sealed for several reasons, some of which seem a little far fetched. One was that it might expose the class to the risk of identity theft, and that was vaguely related to the fear that such information, if made public, would somehow entice or encourage hackers to go after TD Ameritrade. This doesn't seem all that realistic. The firm has a million reasons to be concerned about security, but, other aspects of the case suggest that this "concern" is a recent phenomenon at TD Ameritrade, for instance: How exactly is a commitment to perform "twice yearly independent vulnerability scans" a benefit to the class? Is TD Ameritrade not already required by industry standards like PCI, or better yet, its own internal security policies to do so? Was this not point 6 of the Texas AG's argument? And why did the Texas AG back down on several points?
And those are just the questions on one side of the coin. Why did Elvey approve the settlement in the first place? The "threats" claimed could use some additional scrutiny. Had he not signed the settlement, would things have gone much differently? Did Elvey's "late game" claims of identity theft help or hurt his case?
We don't yet have all the final numbers on this, as the case is still ongoing, but when we do we'll update the incident with the final costs associated with this class action suit. The costs will be of some substance, but from the looks of it, a very small amount per record breached. We are updating the data types to include Social Security numbers, partially because of a recent article in the media on the topic, and partially due to the information gathered from the court documents. All the documents we've collected regarding this case are available for your perusal here.
We believe gaining legal insight and costs associated with data loss incidents are key indicators to help fully understand the true impacts. We are in the process of starting a new legal sub-project that will be tightly integrated into DataLossDB. The project will focus on collecting information on lawsuits associated with data loss incidents. The goal is to be able to provide more depth to the data, give us some editorial fodder, and most importantly, to get some empirical data on the legal costs of a data loss incident. If you are interested in helping to lead, shape, and ultimately maintain this project please contact [email protected]