By Sharon Gaudin
September 17, 2007
An attorney launching a class-action lawsuit against TD Ameritrade
Holding alleges the online brokerage knew a hacker had access to a
customer database as far back as a year ago.
Last Friday, Ameritrade e-mailed account holders and put a public
advisory on its Web site alerting users that a hacker broke into one of
its databases and stole personally identifying information for some of
its 6.3 million customers. The company said names, e-mail addresses,
phone numbers, and home addresses were taken in the data breach. Client
assets, along with user IDs, personal identification numbers, and
passwords, were not stored in the compromised database.
However, the advisory noted that it's unclear if account numbers, dates
of birth, and Social Security numbers were stolen. Ameritrade did not
say when the hackers got into the database or how long they remained
Kim Hillyer, a spokeswoman for Ameritrade, said in an interview that all
of the company's 6.3 million accounts that were opened before July 18 of
this year were breached. She would not say when the company first
learned that there had been a breach, only offering that "they had been
investigating client reports of spam for some time."
She said in the last few weeks they discovered that malicious code had
been embedded in the system. She would not say what part of the system
was infected or what kind of code it was. "We have been working with
forensics," she said. "They said they've never seen it before."
Hillyer also said that while the investigation was ongoing, as new
customers came on board, the company put their information in the
compromised database. "We didn't know what the cause of the leak was,"
she added. "Anyone who opened an account after July 18, though, was not
affected by this."
Scott Kamber of Kamber & Associates, a New York law firm that sued Sony
BMG last year for its use of a rootkit, told InformationWeek on Monday
that the lawsuit initially claimed that Ameritrade knew about the data
breach last November. However, he says he now has information that the
company knew about the ongoing breach a full year ago.
Kamber, who filed the suit this past May, had recently filed a
preliminary injunction asking the court to compel Ameritrade to disclose
the data breach and the compromised information to current and
prospective customers. The company was given a two-week adjournment and
made the public announcement during that recess.
"I am glad customers finally know of the compromise of their personal
information," said Kamber. "I'm not pleased it took the company so long
to do that."
Hillyer said she could not comment on ongoing litigation but said, "As
soon as we discovered it, we stopped it. And as soon as we had gathered
enough information, we notified our clients."
Ameritrade notified the FBI and the U.S. Securities and Exchange
Commission last week, according to the spokeswoman.
Ameritrade tracked down the break-in while doing an internal
investigation into stock-related spam. The company called in forensic
investigators and they discovered "unauthorized code" in their system
that provided access for the hacker or hackers. According to the
advisory, the code has been eliminated from the system.
Kamber alleges one of the two Ameritrade customers represented in the
lawsuit gave the company his e-mail address last October and began
receiving pump-and-dump spam the next month. That same customer then
asked Ameritrade to change his e-mail address in February and received
the same kind of spam soon after the change was made.
"Ameritrade knew of a compromise to customer information and they chose
not to disclose it until they found out how it happened," added Kamber.
"It was Ameritrade's customers' right to know their information had been
compromised. It sets a dangerous precedent for companies to wait a year
to disclose that people's information was compromised."
Security company Sophos is warning Ameritrade users to be on "red alert"
against targeted spam attacks. The company's researchers reported in an
online alert that they have spotted hackers trying to exploit the stolen
Ameritrade e-mail addresses, using them to lure users to a spoofed
Ameritrade site in an attempt to capture user IDs and passwords.
Sophos also noted that a database of 6.3 million targeted e-mail
addresses is likely to be a valuable commodity in the computer
underground, and the information may be sold between criminal groups for
"A current and authenticated e-mail address is a prized possession in
the criminal underworld. It's the first piece of the jigsaw needed to
build up a user identity that a hacker can adopt in order to access
online retail or bank accounts," said Graham Cluley, a Sophos senior
technology consultant, in a written statement. "While TD Ameritrade has
gone to great lengths to reassure customers that this breach hasn't led
to any ID theft, no one should underestimate just how wily hackers can
be in order to extort confidential information from unsuspecting
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com