[ISN] Judge Weighing Ameritrade Hack Lawsuit Settlement

From: InfoSec News (alerts@private)
Date: Fri Jun 13 2008 - 00:02:04 PDT


http://blog.wired.com/27bstroke6/2008/06/judge-weighing.html

By David Kravets 
Threat Level
Wired.com
June 12, 2008

A federal judge on Thursday put off approving a proposed settlement of a 
class-action representing as many as 6.3 million TD Ameritrade customers 
whose data was breached when hackers stole personal identifying customer 
information.

Among the reasons: The lead plaintiff, who signed the deal, opposed it 
in open court Thursday and said his lawyers coerced him into accepting 
the accord.

The data theft, disclosed in September, gave hackers access to customer 
names, phone numbers, e-mail accounts and home addresses. Social 
Security or account information was not compromised, according to the 
settlement. Customers fell victim, however, to SPAM attacks.

U.S. District Judge Vaughn Walker, who called the hearing "very 
interesting," said he would rule on the deal soon.

After lead plaintiff Matthew Elvey said the agreement did not go far 
enough, his attorney and the lawyer for Ameritrade both said that was 
"news to us."

"I believed I was deceived into the terms of the settlement," plaintiff 
Elvey told Threat Level outside the courtroom. "I don't think it does 
anything substantial."

Under the accord, class members would be entitled to a one-year 
subscription of "Trend Micro Internet Security Pro," about a $70 retail 
value. The biggest payout goes to class lawyers, who are set to get more 
than $1.8 million.

Ameritrade lawyer Lee Rubin said Ameritrade was paying "significantly 
less" than retail value for the Security Pro software.

Elvey said the software is "available for free after rebate" at some 
electronics stores.

If approved by Walker, the agreement allows class members to opt out or 
challenge it. The company denied liability.

In a statement last year, it announced it "discovered and eliminated 
unauthorized code from its systems that allowed access to an internal 
database. The discovery was made as the result of an internal 
investigation of stock-related SPAM.

"Elvey's lawyer, Scott Kamber, said outside of court that "this is a 
great settlement" and that he would have sought Walker's approval even 
without Elvey's signature. "We have a fiduciary responsibility to the 
class," he said.

In a telephone interview, he said "We never pressured Mr. Elvey 
whatsoever."

The accord covers all customers who provided an e-mail or physical 
address as of Sept. 14, 2007. No arrests have been reported.

The company said there have been no instances of identity theft, but 
agreed to assist identity theft victims under terms of the settlement 
agreement.

Among other things, the accord requires the company to post information 
on its web site regarding "important information on protecting your 
assets from online threats such as identity theft, phishing, spyware, 
viruses, e-mail fraud and stock touting SPAM."

Ameritrade, of Nebraska, also agreed to retain independent experts to 
conduct bi-annual penetration tests at least through 2009. It has also 
retained ID Analytics, a company specializing in identifying organized 
identity theft. "Two such analyses already have been performed and have 
identified no evidence of identity theft," according to the accord.

Also, the deal requires a $20,000 donation to the Honeynet Project and 
$35,000 to the National Cyber Forensics and Training Alliance.


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Fri Jun 13 2008 - 00:10:59 PDT