http://blog.wired.com/27bstroke6/2008/06/judge-weighing.html By David Kravets Threat Level Wired.com June 12, 2008 A federal judge on Thursday put off approving a proposed settlement of a class-action representing as many as 6.3 million TD Ameritrade customers whose data was breached when hackers stole personal identifying customer information. Among the reasons: The lead plaintiff, who signed the deal, opposed it in open court Thursday and said his lawyers coerced him into accepting the accord. The data theft, disclosed in September, gave hackers access to customer names, phone numbers, e-mail accounts and home addresses. Social Security or account information was not compromised, according to the settlement. Customers fell victim, however, to SPAM attacks. U.S. District Judge Vaughn Walker, who called the hearing "very interesting," said he would rule on the deal soon. After lead plaintiff Matthew Elvey said the agreement did not go far enough, his attorney and the lawyer for Ameritrade both said that was "news to us." "I believed I was deceived into the terms of the settlement," plaintiff Elvey told Threat Level outside the courtroom. "I don't think it does anything substantial." Under the accord, class members would be entitled to a one-year subscription of "Trend Micro Internet Security Pro," about a $70 retail value. The biggest payout goes to class lawyers, who are set to get more than $1.8 million. Ameritrade lawyer Lee Rubin said Ameritrade was paying "significantly less" than retail value for the Security Pro software. Elvey said the software is "available for free after rebate" at some electronics stores. If approved by Walker, the agreement allows class members to opt out or challenge it. The company denied liability. In a statement last year, it announced it "discovered and eliminated unauthorized code from its systems that allowed access to an internal database. The discovery was made as the result of an internal investigation of stock-related SPAM. "Elvey's lawyer, Scott Kamber, said outside of court that "this is a great settlement" and that he would have sought Walker's approval even without Elvey's signature. "We have a fiduciary responsibility to the class," he said. In a telephone interview, he said "We never pressured Mr. Elvey whatsoever." The accord covers all customers who provided an e-mail or physical address as of Sept. 14, 2007. No arrests have been reported. The company said there have been no instances of identity theft, but agreed to assist identity theft victims under terms of the settlement agreement. Among other things, the accord requires the company to post information on its web site regarding "important information on protecting your assets from online threats such as identity theft, phishing, spyware, viruses, e-mail fraud and stock touting SPAM." Ameritrade, of Nebraska, also agreed to retain independent experts to conduct bi-annual penetration tests at least through 2009. It has also retained ID Analytics, a company specializing in identifying organized identity theft. "Two such analyses already have been performed and have identified no evidence of identity theft," according to the accord. Also, the deal requires a $20,000 donation to the Honeynet Project and $35,000 to the National Cyber Forensics and Training Alliance. _______________________________________________ Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Fri Jun 13 2008 - 00:10:59 PDT