Ameritrade customers vent about data breach

The 2.3 million Ameritrade customers whose personal data was compromised sometime over the past 20 months can get a free year of credit checks, but only if they ask for it.

The company says it will sign its customers up for the service on an exception basis -meaning they don’t automatically get it - but it doesn’t advertise this option in any of the literature it has put out concerning the data compromise.

By contrast, in its initial August notification letter about a stolen laptop that contained sensitive employee data, AT&T offered employees a free, one-year credit-watch service.

This is just one aspect of how Ameritrade is handling the data breach that rankles its customers. “They could say, 'We've done everything we can to protect you, but because we don't want to take any chances with our very valuable customers, we're going to offer you this triple protection,'” says David O’Berry, an Ameritrade customer who went through multiple rounds of e-mails before finally the company told him about the credit watch.

O’Berry, the IT director for South Carolina’s Department of Probation, Parole and Pardon, is also worried that what he has been able to learn about the incident and the subsequent investigation is that it is inconclusive. That leaves him uncomfortable.

Ameritrade told its customers Sept. 14 that it had discovered unauthorized code in its systems that allowed outsiders to retrieve data from client databases. It has hired ID Analytics to do a forensic investigation of the intrusion.

Ameritrade says it knows that names, addresses, phone numbers, e-mail addresses and miscellaneous trading information such as the number of trades placed by a particular person over a given period, but not what particular shares were bought or sold.

The company says it knows for sure that Social Security numbers for some of its clients - those acquired from TD Waterhouse - were not taken, and it doesn’t know about the rest. But a spokeswoman says that as forensics consultants wade further back in time through the database, they will be able to say for sure whether the rest of the Social Security numbers were accessed.

That’s the part that worries O’Berry. “They're saying ID Analytics has confirmed that no [Social Security numbers] were out,” he says. “How in the world do they know that, if they're in the same database? They need to be able to prove that.”

The Ameritrade spokeswoman says the company believes no Social Security numbers have been taken because the only known illicit activity traceable to the breaches is spam, not identity theft.

Ameritrade says it discovered the malicious code as a follow-up to customer complaints. Customers said they were getting almost exclusively stock-related spam in e-mail accounts they set up just to handle correspondence with Ameritrade and nothing else. Within weeks of creating new Ameritrade-only e-mail accounts, the spam resumed.

“This was a fairly consistent, over-time breach situation that was forwarding information out as it changed,” O’Berry says.