A computer backup tape containing account information of more than 200,000 Ameritrade clients was apparently lost or accidentally destroyed while being shipped, prompting the online investment brokerage to notify the clients of a potential breach.
Donna Kush, a spokeswoman for the Omaha-based company, Wednesday confirmed that a package of data backup tapes was damaged in transit in late February by a shipping company that isn't being named. Four of the tapes in the package disappeared after the package was damaged but three were later found by the shipper during a search of its facility, she said.
The fourth tape is still missing and is presumed to still be lost in the facility or to have been destroyed accidentally.
"We do believe that foul play was not involved," Kush said. "We don't feel that any of the [client] information has led to any misuse."
The backup tapes held account information for clients and former clients from 2001 to 2003, Kush said.
Last week, the clients began receiving letters from Ameritrade telling them of the incident and offering one free year of credit-protection services from Identity Track. Chantilly, Va.-based Identity Track monitors credit profiles and alerts clients to activity that may indicate identity theft -- including recent inquiries, new accounts or address changes. Consumers can also access and review their credit reports.
In its letter to clients, Ameritrade said it's adding another layer of security to their accounts.
Kush wouldn't discuss what is being done in detail. "We're evaluating our processes and procedures on what we do here and are making some changes," she said.
Kush said the company acted as quickly as possible after learning in late February that the tapes were missing. "It took some time to work with the [shipping] vendor" after the loss was discovered, she said. "It took some time just to find those three tapes." More time elapsed as the search continued for the fourth tape.
"We feel we acted promptly," she said.
The backup tapes weren't labeled with Ameritrade's name or logo or any other identifiable information, Kush said. Although the data on the tapes was compressed and special equipment would be needed to read it, the information wasn't encrypted.
Under California law, which mandates that customers be told of potential data breaches, the company would have been required to notify about 175,000 of the affected former and current clients. But Ameritrade chose to send letters to all potentially affected clients.
The incident differs from several other recent high-profile data loss cases, which largely involved computer system break-ins or the thefts of actual computers. Last week, about 106,000 alumni of Tufts University in Boston were notified that personal information stored on a server used by the university for fund raising could have been exposed to intruders.
Last month, officials at the University of California, Berkeley, said they were notifying more than 98,000 graduate students and applicants about the theft of a laptop computer on campus containing their names, Social Security numbers and other personal information. Another data breach in March at data broker LexisNexis may have exposed personal information of some 320,000 people (see story), while credit and personal information vendor ChoicePoint sold personal information on about 145,000 people to thieves posing as legitimate businesses.
That incident was made public in February.