Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/14/2007
05:33 PM
Keith Ferrell
Keith Ferrell
Commentary
50%
50%

Don't Do As TD Ameritrade Does -- And Don't Do As They Say, Either

The security breach that let spammers get hold of as many as 6.3 million TD Ameritrade customer names, phone numbers and e-mail addresses is being spun as a "Well, they didn't get Social Security numbers, account numbers, PINs or other confidential info; still we apologize for any inconvenience or annoyance," sort of problem. Mistake. Big mistake.

The security breach that let spammers get hold of as many as 6.3 million TD Ameritrade customer names, phone numbers and e-mail addresses is being spun as a "Well, they didn't get Social Security numbers, account numbers, PINs or other confidential info; still we apologize for any inconvenience or annoyance," sort of problem. Mistake. Big mistake.Company response to the TD Ameritrade hack -- which bears a certain resemblance to the recent Monster.com fiasco -- is starting to look like a textbook case of what not to say when company data of any sort gets compromised.

Take a look, for example, at this statement from Joe Moglia, TD Ameritrade's CEO:

"While the financial assets our clients hold with us were never touched, and there is no evidence that our clients' Social Security numbers were taken, we understand that this issue has increased unwanted SPAM, which is annoying and inconvenient for them. We sincerely apologize for that and any added concern this may have caused."

Who wrote that statement? Is no one looking out for Mr. Moglia's crisis-management demeanor and the message he's sending to customers and the press? Evidently not. To wit:

"... while there is no evidence that our clients' Social Security numbers were taken..."

Which sends the message, not deliberately, I'm sure, that there's also no evidence yet that SS numbers were not taken. That's surely not what Mr. Moglia intended to say, and it's just as surely not the message he -- or his Mar/Com handlers -- intended to send, but there it is.

Onward:

"We understand that this issue has increased unwanted SPAM, which is annoying and inconvenient for them."

It's more than that -- as the compromised names and numbers get shared and spread, and re-shared and more widely spread, every bit of junkmail will remind the recipient that their address got grabbed from a compromised TD Ameritrade database. That's more than an annoyance, and lot more than an inconvenience, and Mr. Moglia should have acknowledged that.

This from Mr. Moglia's statement, strikes me as putting bad icing on a bad cake:

"This issue is not unique to TD AMERITRADE. It's something that all companies involved in e-commerce should be aware of and prepared to address. We participate in industry peer groups to share information on these types of threats in the interest of protecting all clients."

Which tells clients only that a) we're not the only ones not doing a good enough job of keeping our databases safe, and b) the information being shared among the peers isn't good enough, deep enough, effective enough.

Note: I'm not saying that Mr. Moglia is wrong in what he's saying, only that the way he's saying it is wide open to misinterpretation by already "annoyed and inconvenienced" (and then some!) customers.

His video statement also includes this next comment, which has the advantage of being both accurate and true, but again doesn't seem to me to go far enough for a CEO whose company has been compromised:

"This is an issue for global e-commerce that will be with us for the rest of our lives."

As stated, it's hard to argue with -- but from a business perspective it would have been far more effective for Mr. Moglia to make a commitment right there, pledging a certain percentage of company revenue or profits or whatever to taking the lead in coordinating and invigorating the levels of information shared among participating "industry peer groups."

Couple of final points.

As I write this late in the afternoon, EST, TD Ameritrade's welcome page includes a soft yellow notice bar "regarding the recently reported SPAM investigations" and is otherwise business as usual, including the an unfortunate (in present circumstances) We Promise Protection section.

Worse, when you follow the link to the SPAM investigations page, you get a page that is anything but assertive in putting information about the compromised data upfront and accessible. Scroll past the "Helping independent minded investors be successful" sel--copy and you'll eventually find a Special Client Announcement section beneath which the compromise is covered through press releases, video statements and so on.

Look: Joe Moglia is absolutely right about the nature of this problem -- it will be with us forever. And I'm just as sure that his comments and his company's damage-control materials were put together carefully and thoughtfully.

Too carefully and too thoughtfully, I think. In the event of a breach, your customers and clients are going to be mad as hell, and they had better know that, on their behalf and on behalf of your company, you are, too.

If your company network and customer/client information gets hacked or compromised, you have got to be more aggressive -- much more aggressive, I think -- in confronting an issue which will, fairly or unfairly, be perceived as a failure of your business's security procedures and technology.

Your communications with your clients and customers, and with the wider public and press through your statements and Web site had better send the message that you are as "annoyed" by the situation as they are -- otherwise you're going to have a bunch of "annoyed and inconvenienced" customers getting angrier by the moment at your spin, and spinning themselves and their business away from your company to somebody else's.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16192
PUBLISHED: 2020-08-05
LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate parameters.
CVE-2020-17364
PUBLISHED: 2020-08-05
USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs.
CVE-2020-4481
PUBLISHED: 2020-08-05
IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.
CVE-2020-5608
PUBLISHED: 2020-08-05
CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered c...
CVE-2020-5609
PUBLISHED: 2020-08-05
Directory traversal vulnerability in CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to cre...