For Immediate Release
Ameritrade Lawsuit Settlement Fails to Shed Light on Massive Security Breach, Public Citizen Says
Federal Court Should Reject Settlement, Order Firm to Reveal Details of Computer Data Theft
WASHINGTON - Public Citizen has urged a federal judge to reject a lawsuit
settlement between TD Ameritrade and as many as six million of its
clients, saying the deal does little to address a security breach that
allowed hackers access to customers' Social Security numbers, birth
dates, account numbers and e-mail addresses.
Public Citizen filed the brief Friday afternoon in the U.S. District
Court for the Northern District of California on behalf of its client,
Matthew Elvey, an Ameritrade customer and lead plaintiff in the class
action suit against the Internet stock-trading company.
Elvey, a San Francisco Bay area computer consultant, learned of the
security breach when he started receiving spam at an e-mail address he
used exclusively with his Ameritrade account. When he informed
Ameritrade of the problem in November 2006, the company responded via
e-mail that it was "conducting a thorough investigation into this
matter." What the company didn't tell him was that it had been
receiving similar complaints from other clients for more than a year.
Elvey opposes the settlement reached by the law firm handling the
class-action case on behalf of Ameritrade customers. The proposed
settlement requires Ameritrade to provide its clients with a one-year
subscription to anti-spam software but does little else to acknowledge
the security breach or to respond to customers who had been complaining
for almost two years that their private account information was being
stolen from the company.
The deal does not require Ameritrade to implement any new security
practices or even reveal the extent of the breach and what, if
anything, the company has done to fix the problem. To date, Ameritrade
has acknowledged only that its clients' e-mail addresses were
compromised, while saying only that there is "no evidence" that any
other information was taken.
"It's absurd to think that hackers would steal e-mail addresses from
Ameritrade's data base, while ignoring more prized information, such as
Social Security numbers and birth dates," said Greg Beck, a Public
Citizen lawyer working on the case. "The only people who benefit from
this settlement are the plaintiffs' lawyers - who will receive $1.8
million in fees - and Ameritrade officials who would rather pretend
this security breach never happened."
At about the time that the breach came to light, Elvey's Social
Security number was used in a fraudulent transaction. Elvey wants the
judge to reject the settlement and thus keep up the pressure on
Ameritrade to make information about the breach available to the
public, including how it happened and what information was taken. A
deposition of Ameritrade's security chief has not been made part of the
public record. Without access to this information, Elvey and other
Ameritrade clients cannot assess the merits of the proposed settlement,
"The least Ameritrade can do is be honest with its clients about
what went wrong and what it has done to fix the problem," said
California attorney Mark A. Chavez, who is representing Elvey with
READ the brief.