Sheesh… just when you think they’re over the hump, more details leak on the TD Ameritrade breach and they aren’t looking quite so competent anymore.

Network World has a good article up summarizing the latest developments. A few tidbits stand out:

The Ameritrade spokeswoman says the company believes no Social Security numbers have been taken because the only known illicit activity traceable to the breaches is spam, not identity theft.

There’s a word for statements like this… bullshit! Just because they haven’t traced any identity theft or other fraud to the SSNs in their database doesn’t mean the numbers aren’t sitting on some bad guy’s hard drive someplace. If they determined that SSNs are not at risk because the specific malicious software involved was analyzed and limited itself to email, then that’s one thing. But saying “nothing bad has happened so far, so nothing bad will ever happen” is stupid.

Folks, time for a reminder. This is all Crisis Communications 101- as history has shown, the best way to defend your reputations in a major incident is to admit the failing, spare nothing to protect your customers, and act as openly and honestly as possible. Otherwise we wouldn’t have seen a bottle of Tylenol on a store shelf since the 1980’s.


The company says it will sign its customers up for the service on an exception basis -meaning they don’t automatically get it – but it doesn’t advertise this option in any of the literature it has put out concerning the data compromise.

is not putting your customers first.

The rest of us should learn from this; TD Ameritrade is now suffering more negative publicity than if they had come clean from the start.

I’ve moved our little poll on this to the sidebar, and will post the results on Monday. I’m starting to think it might be something other than SQL injection…