Josh Funk of Associated Press reports that Judge Vaughn Walker has rejected the settlement offer by TD Ameritrade. The settlement was in response to a hack in 2006 nd 2007 which exposed customer contact information on 6.3 million clients. According to the AP, the judge found that the deal, which would give the affected customers anti-spam software for a year and a promise of tighter security in the future, did not provide sufficient benefit to customers while providing $1.9 million in legal fees.
Back in May, I had commented that:
The settlement will not result in any money for class members but the lawyers get almost $2 million. Indeed, it’s not clear to me that the class members get anything at all out of this settlement. I guess we’ll have to wait and see the actual terms when the deal is approved.
Judge Walker had tentatively approved the deal in May and then held a hearing in September, and will be interesting to read his decision when it becomes available. What changed his mind between May and now?
Hey. I have a copy of Judge Walker’s decision on my website, along with my thoughts. See
http://caringaboutsecurity.wordpress.com/2009/10/27/we-win-settlement-and-kamberedelson-booted/ for both. Please let me know what you think, by posting there or here. I certainly think your characterization in May of the compromised information as merely “contact information” is inappropriate! The idea that thieves, having gained full access to the database containing both, would choose to steal the email addresses only, while leaving the far more valuable SSNs, is simply farfetched, and no evidence has been introduced to support it.
What additional proof do I have?
1)I have a whistle blower’s word. I’m told that TD Ameritrade covered up the breach. TD Ameritrade took and continues to take steps that show bad faith in order to to **hide from discovery, shut down and discourage** efforts by customers and staff to analyze or discuss aspects of the breach, even within the company. Also, one needs to carefully parse what TD Ameritrade HAS said. Everyone willing to stick their neck out about this has already had it chopped off (speaking metaphorically; they’re no longer with the company – fired, pushed out, or quit in disgust); anyone else who cares is laying low.
2)Also, my identity was stolen and used for new account identity theft, for the first time ever, starting the month after proof of the breach started to appear. A smoking gun? No. Evidence? Yes. AND, TDA ignored the smoking guns that showed they had been breached ’till I sued them, as I had proof.
Thanks, Matthew.
It’s clear that you firmly believe that SSN were accessed and/or acquired, but where is the proof of that other than your “common sense” kind of argument? You seem to expect bloggers or the media to ignore what the company has repeatedly asserted — that its investigation uncovered no evidence that SSN were accessed. Although I can certainly appreciate your skepticism, your references to information from a “whistleblower” are simply not sufficient basis for a responsible blogger or journalist claiming that SSN were actually accessed or acquired. Were SSN vulnerable to access? Clearly, since the database was accessed and the company acknowledges that SSN were in the database. I have no problem viewing them as left vulnerable to access or acquisition, but that stops short of proving that they were accessed.
Could their investigation have failed to uncover evidence that SSN were accessed? Sure. But again, there’s a difference between what might have happened and demonstrating that it actually happened.
That said, I think the settlement should operate on the assumption that the company may not have discovered the full extent of the breach and should provide more protection for everyone who had their SSN in the database — yes, even though there’s no proof that the SSN were accessed.