What made the Ameritrade data breach particularly memorable was not that 6.3 million customers had their personal info compromised. No, what made it memorable was that the company had received multiple warnings from IT professionals over more than a year that its database had been compromised -- yet took no action before the bits hit the fan last fall.
And here's what will make the settlement of a resultant class-action lawsuit memorable, provided a judge overcomes his nausea and eventually blesses the deal: Of the nearly $2 million Ameritrade would pay for its sins, almost all of it would wind up in the pockets of plaintiff's lawyers.
What would those victimized get?
A year's worth of spam blocking service.
David Kravets writes in Wired:
A federal judge on Friday declined to approve a proposed settlement of a class-action representing as many as 6.3 million TD Ameritrade customers whose privacy was breached when hackers stole personal identifying customer information.
U.S. District Judge Vaughn Walker was concerned whether the deal, which gives more than $1.8 million in legal fees to the plaintiff's attorneys, would provide any real benefits to the class of online brokerage customers.
The judge had other concerns as well, including a contention from lead plaintiff Matthew Elvey that he had been coerced into accepting the terms of the deal despite his belief that it was inadequate. (Elvey elaborates on the weaknesses here.)
Recap: Swimming pools and private-school tuition for the lawyers and their families; warm bucket of spit for Ameritrade customers whose inboxes ballooned with spam after the dam broke.
Of course, this is pretty much the way things go in class-action lawsuits where the individual members of the class incur damages that are relatively minor and/or difficult to quantify. But it's still a less-than-satisfying outcome for those on the receiving end of Ameritrade's sloppiness and stubborn refusal to listen to what experts were telling them.
And none of this comes as much of a surprise to Josh Fritsch, an IT security veteran who was among those sounding alarms in early 2006 that Ameritrade had a problem. Fritsch was also among the Ameritrade customers victimized, but not a party to the lawsuit.
"In the end, (the suit is) not going to matter much," Fritsch tells me. "Any real compensation for carelessness with personal data will never be offered, and the token concessions which are made are basically useless."
"If Ameritrade were serious about making amends for their error (and ignoring the error for so long) they would publicly disclose the full results of their investigation, thus 'proving' their claim that there was no real problem," he adds. "They would also offer a choice of free service from them (such as free trades) or free service with a competing broker (at Ameritrades' expense) if the victim elects to find service elsewhere. This would rebuild trust, prove honesty, and demonstrate a sense of caring for their clients."
Likelihood of that happening?
"Don't hold your breath."
Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.
Amazon.com is down ... really down.
Worst of the lot for two years running: PCMall and PCConnection.
Top 10 Buzzblog posts for '07: Verizon's there, of course, along with Gates, Wikipedia and the guy who lost a girlfriend to Blackberry's blackout.