Ameritrade Shows Peril of Backup Tapes

For the second time this year, a high-profile financial company has lost a backup tape containing customer data while shipping the tape to an off-site storage facility.

Brokerage company Ameritrade has begun warning about 200,000 current and former customers about the loss of a backup tape containing their personal information, officials said this week.

The news follows Bank of America’s admission in February that it lost tapes containing the personal data of 1.2 million federal employees.

The incidents show the vulnerability that companies face when storing backup tapes off site, and could add to growing calls for data encryption and a national data privacy law.

“Companies need to do risk assessments on their backup processes,” said Jon Oltsik,
senior analyst for information security at Enterprise Strategy Group. “There are far more vulnerabilities than most people think.”

Ameritrade discovered the loss in February when it received a damaged package containing a number of backup tapes shipped from its secure facilities in the U.S. Katrina Becker, an Ameritrade spokeswoman, said the shipping company caused the damage to the package.

Ameritrade immediately launched an investigation and learned four tapes were missing, three of which were subsequently recovered at the shipper’s facility. The fourth, containing personal information on customers who used the company’s service between 2000 and 2003, hasn’t been recovered, she said.

“Those tapes were all found within the shipper’s facility, which was also secure, so it is highly likely that the remaining tape was lost or destroyed within that facility, but we are still monitoring it,” she said. “We do not believe foul play was involved.”

Company officials started contacting customers last week, Becker said. She would not name the shipping company responsible for the lost tapes, saying only that it is a global, reputable shipping company with its own secure facilities.

Becker said that while the clients’ personal information was stored on the backup tapes, damaging information like Social Security numbers isn’t included in all customer records, and it’s highly unlikely that credit card numbers were similarly stored on the tapes.

Becker said the information was unencrypted, but the tapes were “nondescript and compressed,” and therefore hard to access. She said the company used California’s data privacy law as guidance in deciding to notify customers, but went further than that state law requires by notifying customers nationally.

Ameritrade has changed some policies and procedures in response to the mishap, Becker said, but she declined to discuss specifics.

Data theft has become a topic of national concern in recent months. Publisher Reed Elsevier reported the information theft of up to 310,000 individuals and credit-check company ChoicePoint also announced the theft of individual information earlier this year.

The incidences prompted a Congressional hearing to consider legislation that forces data brokers to notify consumers if personal information is compromised. Currently, only the state of California has such a law in place.

Paul Shread
Paul Shread
eSecurity Editor Paul Shread has covered nearly every aspect of enterprise technology in his 20+ years in IT journalism, including an award-winning series on software-defined data centers. He wrote a column on small business technology for Time.com, and covered financial markets for 10 years, from the dot-com boom and bust to the 2007-2009 financial crisis. He holds a market analyst certification.

Latest Articles

Top Big Data Tools & Software 2021

Big data tools collect, organize and analyze large amounts of data for information. Explore the best Big Data software now.

IBM Brings Ransomware Protection, as-a-Service Options to FlashSystem Arrays

The tech giant addresses cybersecurity concerns with new security capabilities added to its FlashSystem all-flash storage arrays.

AWS Provides High-Performance SAN in the Cloud

The move by Amazon Web Services is designed to deliver performance-intensive, mission-critical workloads into the cloud.