By David Kravets
June 12, 2008
A federal judge on Thursday put off approving a proposed settlement of a
class-action representing as many as 6.3 million TD Ameritrade customers
whose data was breached when hackers stole personal identifying customer
Among the reasons: The lead plaintiff, who signed the deal, opposed it
in open court Thursday and said his lawyers coerced him into accepting
The data theft, disclosed in September, gave hackers access to customer
names, phone numbers, e-mail accounts and home addresses. Social
Security or account information was not compromised, according to the
settlement. Customers fell victim, however, to SPAM attacks.
U.S. District Judge Vaughn Walker, who called the hearing "very
interesting," said he would rule on the deal soon.
After lead plaintiff Matthew Elvey said the agreement did not go far
enough, his attorney and the lawyer for Ameritrade both said that was
"news to us."
"I believed I was deceived into the terms of the settlement," plaintiff
Elvey told Threat Level outside the courtroom. "I don't think it does
Under the accord, class members would be entitled to a one-year
subscription of "Trend Micro Internet Security Pro," about a $70 retail
value. The biggest payout goes to class lawyers, who are set to get more
than $1.8 million.
Ameritrade lawyer Lee Rubin said Ameritrade was paying "significantly
less" than retail value for the Security Pro software.
Elvey said the software is "available for free after rebate" at some
If approved by Walker, the agreement allows class members to opt out or
challenge it. The company denied liability.
In a statement last year, it announced it "discovered and eliminated
unauthorized code from its systems that allowed access to an internal
database. The discovery was made as the result of an internal
investigation of stock-related SPAM.
"Elvey's lawyer, Scott Kamber, said outside of court that "this is a
great settlement" and that he would have sought Walker's approval even
without Elvey's signature. "We have a fiduciary responsibility to the
class," he said.
In a telephone interview, he said "We never pressured Mr. Elvey
The accord covers all customers who provided an e-mail or physical
address as of Sept. 14, 2007. No arrests have been reported.
The company said there have been no instances of identity theft, but
agreed to assist identity theft victims under terms of the settlement
Among other things, the accord requires the company to post information
on its web site regarding "important information on protecting your
assets from online threats such as identity theft, phishing, spyware,
viruses, e-mail fraud and stock touting SPAM."
Ameritrade, of Nebraska, also agreed to retain independent experts to
conduct bi-annual penetration tests at least through 2009. It has also
retained ID Analytics, a company specializing in identifying organized
identity theft. "Two such analyses already have been performed and have
identified no evidence of identity theft," according to the accord.
Also, the deal requires a $20,000 donation to the Honeynet Project and
$35,000 to the National Cyber Forensics and Training Alliance.
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com