[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Attorney Alleges Ameritrade Knew Of Security Breach A Year Ago


By Sharon Gaudin
September 17, 2007

An attorney launching a class-action lawsuit against TD Ameritrade 
Holding alleges the online brokerage knew a hacker had access to a 
customer database as far back as a year ago.

Last Friday, Ameritrade e-mailed account holders and put a public 
advisory on its Web site alerting users that a hacker broke into one of 
its databases and stole personally identifying information for some of 
its 6.3 million customers. The company said names, e-mail addresses, 
phone numbers, and home addresses were taken in the data breach. Client 
assets, along with user IDs, personal identification numbers, and 
passwords, were not stored in the compromised database.

However, the advisory noted that it's unclear if account numbers, dates 
of birth, and Social Security numbers were stolen. Ameritrade did not 
say when the hackers got into the database or how long they remained 

Kim Hillyer, a spokeswoman for Ameritrade, said in an interview that all 
of the company's 6.3 million accounts that were opened before July 18 of 
this year were breached. She would not say when the company first 
learned that there had been a breach, only offering that "they had been 
investigating client reports of spam for some time."

She said in the last few weeks they discovered that malicious code had 
been embedded in the system. She would not say what part of the system 
was infected or what kind of code it was. "We have been working with 
forensics," she said. "They said they've never seen it before."

Hillyer also said that while the investigation was ongoing, as new 
customers came on board, the company put their information in the 
compromised database. "We didn't know what the cause of the leak was," 
she added. "Anyone who opened an account after July 18, though, was not 
affected by this."

Scott Kamber of Kamber & Associates, a New York law firm that sued Sony 
BMG last year for its use of a rootkit, told InformationWeek on Monday 
that the lawsuit initially claimed that Ameritrade knew about the data 
breach last November. However, he says he now has information that the 
company knew about the ongoing breach a full year ago.

Kamber, who filed the suit this past May, had recently filed a 
preliminary injunction asking the court to compel Ameritrade to disclose 
the data breach and the compromised information to current and 
prospective customers. The company was given a two-week adjournment and 
made the public announcement during that recess.

"I am glad customers finally know of the compromise of their personal 
information," said Kamber. "I'm not pleased it took the company so long 
to do that."

Hillyer said she could not comment on ongoing litigation but said, "As 
soon as we discovered it, we stopped it. And as soon as we had gathered 
enough information, we notified our clients."

Ameritrade notified the FBI and the U.S. Securities and Exchange 
Commission last week, according to the spokeswoman.

Ameritrade tracked down the break-in while doing an internal 
investigation into stock-related spam. The company called in forensic 
investigators and they discovered "unauthorized code" in their system 
that provided access for the hacker or hackers. According to the 
advisory, the code has been eliminated from the system.

Kamber alleges one of the two Ameritrade customers represented in the 
lawsuit gave the company his e-mail address last October and began 
receiving pump-and-dump spam the next month. That same customer then 
asked Ameritrade to change his e-mail address in February and received 
the same kind of spam soon after the change was made.

"Ameritrade knew of a compromise to customer information and they chose 
not to disclose it until they found out how it happened," added Kamber. 
"It was Ameritrade's customers' right to know their information had been 
compromised. It sets a dangerous precedent for companies to wait a year 
to disclose that people's information was compromised."

Security company Sophos is warning Ameritrade users to be on "red alert" 
against targeted spam attacks. The company's researchers reported in an 
online alert that they have spotted hackers trying to exploit the stolen 
Ameritrade e-mail addresses, using them to lure users to a spoofed 
Ameritrade site in an attempt to capture user IDs and passwords.

Sophos also noted that a database of 6.3 million targeted e-mail 
addresses is likely to be a valuable commodity in the computer 
underground, and the information may be sold between criminal groups for 
multiple uses.

"A current and authenticated e-mail address is a prized possession in 
the criminal underworld. It's the first piece of the jigsaw needed to 
build up a user identity that a hacker can adopt in order to access 
online retail or bank accounts," said Graham Cluley, a Sophos senior 
technology consultant, in a written statement. "While TD Ameritrade has 
gone to great lengths to reassure customers that this breach hasn't led 
to any ID theft, no one should underestimate just how wily hackers can 
be in order to extort confidential information from unsuspecting 

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com