TD Ameritrade Finds Breach During SPAM Investigation
Technorati Tag: Security Breach
Date Reported:
9/14/07
Organization:
TD Ameritrade
Contractor/Consultant:
None
Victims:
TD Ameritrade retail and institutional clients
Number Affected:
6,300,000+*
*According to the article posted at the Chicago Tribune
Types of Data:
Name, address, email address, and phone number.*
*TD Ameritrade account numbers, dates of birth and Social Security numbers were also stored in the same database.
Breach Description:
TD Ameritrade announced the discovery of unauthorized code or program(s) found on its systems that allowed access to an internal database. The discovery occurred during an investigation into stock-related SPAM.
Reference URL:
http://www.amtd.com/newsroom/releasedetail.cfm?ReleaseID=264044
http://www.amtd.com/
Report Credit:
TD Ameritrade
Response:
Announcement on the TD Ameritrade homepage (http://www.tdameritrade.com):
From the official TD Ameritrade online press release referenced above:
"TD AMERITRADE Holding Corporation (NASDAQ:AMTD) has discovered and eliminated unauthorized code from its systems that allowed access to an internal database. The discovery was made as the result of an internal investigation of stock-related SPAM."
"The Company commissioned forensic data experts to assist in its investigation of this issue."
[Comfyllama] It is good practice to bring in outside (hopefully independent) experts in high-exposure cases where inside expertise or credibility may be lacking.
"Client assets held in accounts with the Company remain secure as UserIDs, personal identification numbers and passwords were not stored in this particular database."
[Comfyllama] I want to start by saying that I have little doubt that the UserIDs, PINs and passwords remain secure, but just because they are stored in a separate database does not make it so. Many companies connect and share database information from one server to the next, and many companies use the same SA password. I am not familiar with the intimate details of this breach, but it is conceivable (and in some cases probable) that a breach in one internal database leads to another. This may not be the case at TD Ameritrade, but it is the case in most of the companies I have assessed in the past.
"Information such as email addresses, names, addresses and phone numbers was retrieved from this database and affects TD AMERITRADE retail and institutional clients."
"While more sensitive information like account numbers, date of birth and Social Security Numbers is stored in this database, there is no evidence that it was taken."
[Comfyllama] I have a little more trouble with this statement. Because there is no evidence found, does not mean it was not accessed. The chances of undetected access to this information are increased due to its storage in the same database.
""While the financial assets our clients hold with us were never touched, and there is no evidence that our clients' Social Security Numbers were taken, we understand that this issue has increased unwanted SPAM, which is annoying and inconvenient for them," said Joe Moglia, chief executive officer."
[Comfyllama] I am always impressed when a CEO addresses the public regarding information security. Mr. Moglia seems to understand his role with respect to information security very well. If I were a client reading this press release however, I would be less concerned about SPAM then I would be about my information.
"We sincerely apologize for that and any added concern this may have caused."
"The Company has hired a third party, ID Analytics, Inc., to investigate and monitor for potential identity theft. ID Analytics provides identity risk services to many of the country's largest banks and telecommunications companies, as well as government agencies. Following its initial evaluation, ID Analytics found no evidence of identity theft as a result of this issue."
"TD AMERITRADE will retain ID Analytics' services on an ongoing basis to support its client accounts by continuing to monitor for evidence of identity theft."
"The Company is confident that it has identified the way in which this information was taken and has taken the appropriate steps to prevent it from recurring."
"This issue is not unique to TD AMERITRADE. It's something that all companies involved in e-commerce should be aware of and prepared to address," Moglia continued."
[Comfyllama] Say what?! All companies involved in e-commerce?! This sounds like TD Ameritrade found a previously undisclosed vulnerability. I wonder if they found a hole in Apache or something. The suspense. Expect more news on this.
Commentary:
TD Ameritrade seems to have always put the customer first in the past, and I am confident that they will this time too. This series of events will get a lot of press because of the name. I expect more information on this breach in the future. If you have some, send it our way.
Past Breaches:
April, 2005 - Ameritrade loses private information related to 200,000 on lost backup tape
December, 2006 - Stolen Ameritrade laptop contains sensitive information about 300 employees
Date Reported:
9/14/07Organization:
TD Ameritrade
Contractor/Consultant:
None
Victims:
TD Ameritrade retail and institutional clients
Number Affected:
6,300,000+*
*According to the article posted at the Chicago Tribune
Types of Data:
Name, address, email address, and phone number.*
*TD Ameritrade account numbers, dates of birth and Social Security numbers were also stored in the same database.
Breach Description:
TD Ameritrade announced the discovery of unauthorized code or program(s) found on its systems that allowed access to an internal database. The discovery occurred during an investigation into stock-related SPAM.
Reference URL:
http://www.amtd.com/newsroom/releasedetail.cfm?ReleaseID=264044
http://www.amtd.com/
Report Credit:
TD Ameritrade
Response:
Announcement on the TD Ameritrade homepage (http://www.tdameritrade.com):
From the official TD Ameritrade online press release referenced above:
"TD AMERITRADE Holding Corporation (NASDAQ:AMTD) has discovered and eliminated unauthorized code from its systems that allowed access to an internal database. The discovery was made as the result of an internal investigation of stock-related SPAM."
"The Company commissioned forensic data experts to assist in its investigation of this issue."
[Comfyllama] It is good practice to bring in outside (hopefully independent) experts in high-exposure cases where inside expertise or credibility may be lacking.
"Client assets held in accounts with the Company remain secure as UserIDs, personal identification numbers and passwords were not stored in this particular database."
[Comfyllama] I want to start by saying that I have little doubt that the UserIDs, PINs and passwords remain secure, but just because they are stored in a separate database does not make it so. Many companies connect and share database information from one server to the next, and many companies use the same SA password. I am not familiar with the intimate details of this breach, but it is conceivable (and in some cases probable) that a breach in one internal database leads to another. This may not be the case at TD Ameritrade, but it is the case in most of the companies I have assessed in the past.
"Information such as email addresses, names, addresses and phone numbers was retrieved from this database and affects TD AMERITRADE retail and institutional clients."
"While more sensitive information like account numbers, date of birth and Social Security Numbers is stored in this database, there is no evidence that it was taken."
[Comfyllama] I have a little more trouble with this statement. Because there is no evidence found, does not mean it was not accessed. The chances of undetected access to this information are increased due to its storage in the same database.
""While the financial assets our clients hold with us were never touched, and there is no evidence that our clients' Social Security Numbers were taken, we understand that this issue has increased unwanted SPAM, which is annoying and inconvenient for them," said Joe Moglia, chief executive officer."
[Comfyllama] I am always impressed when a CEO addresses the public regarding information security. Mr. Moglia seems to understand his role with respect to information security very well. If I were a client reading this press release however, I would be less concerned about SPAM then I would be about my information.
"We sincerely apologize for that and any added concern this may have caused."
"The Company has hired a third party, ID Analytics, Inc., to investigate and monitor for potential identity theft. ID Analytics provides identity risk services to many of the country's largest banks and telecommunications companies, as well as government agencies. Following its initial evaluation, ID Analytics found no evidence of identity theft as a result of this issue."
"TD AMERITRADE will retain ID Analytics' services on an ongoing basis to support its client accounts by continuing to monitor for evidence of identity theft."
"The Company is confident that it has identified the way in which this information was taken and has taken the appropriate steps to prevent it from recurring."
"This issue is not unique to TD AMERITRADE. It's something that all companies involved in e-commerce should be aware of and prepared to address," Moglia continued."
[Comfyllama] Say what?! All companies involved in e-commerce?! This sounds like TD Ameritrade found a previously undisclosed vulnerability. I wonder if they found a hole in Apache or something. The suspense. Expect more news on this.
Commentary:
TD Ameritrade seems to have always put the customer first in the past, and I am confident that they will this time too. This series of events will get a lot of press because of the name. I expect more information on this breach in the future. If you have some, send it our way.
Past Breaches:
April, 2005 - Ameritrade loses private information related to 200,000 on lost backup tape
December, 2006 - Stolen Ameritrade laptop contains sensitive information about 300 employees
Posts Atom 1.0
Ameritrade lost backup files in Feb of 2005 as well.
Reply to this
You are absolutely right! News of that breach can be found all over the web, an example is: http://www.msnbc.msn.com/id/7561268/
Due to the fact that we had not started this blog by then we did not include it, but since this breach is causing quite a stir, I think we will.
Thank you for the comment, I will update the original post to reflect this information.
Reply to this
How can past breaches be "None" when they had a serious breach just a couple of years ago?
Ameritrade is the company that was shipping unencrypted backup tapes full of detailed customer information across the country in a cardboard box using a common carrier instead of secure shipping. They unsurprisingly lost 4 of the tapes in 2005. The one with my information was never recovered.
Security sloppiness seems to be a habit with Ameritrade.
Reply to this
You are right. Thank you for bring this to our attention.
We have updated the post to reflect two past breaches involving TD Ameritrade. One breach is what you refer to, lost unencrypted backup takes containing sensitive customer information and one that was announced last year concerning a stolen laptop with employee information.
We should have been clearer. Did you suffer any effects of the lost tapes other than the obvious hassle? My own mother's information was on the IBM tape earlier this year.
Reply to this
Thanks for the update - it appeared while I was typing up my response.
I do not know of any misuse of the lost tape data - yet.
The problem with this level of information loss is that the data is largely non-fungible. If the cracker is even halfway smart, she will know that my SSN/name/address/email combo* will be a valuable commodity for the rest of my life - slightly less when I move, but that data can be re-correlated pretty easily from public records and/or by pulling a credit report. Quite a few scams or outright identity theft are pretty easy from then on.
*Plus whatever else they lost. Scanned copy of my signature? Trade history? Who knows? Ameritrade was never open about the exact data lost.
Reply to this
Ugh. Very good points Tom. Many people don't think past the moment and realize the lifelong issues. As long as Social Security numbers continue to be used for identification purposes, the problem will persist. Social Security numbers were never meant to be used as identification other than to tie your benefits to you. Even with the public disclosrue of breaches, companies are still not motivated to get at the root of the problem.
Credit bureaus are making a ton of money right now in selling credit monitoring and protection products. A whole new industry has been born.
Until people start to demand change in large numbers, this is business as usual.
Reply to this
For those affected by the latest breach:
Ameritrade will pay for a credit report pull (3 agency) and one year of monitoring. You just have to call and ask.
I accepted, but I was clear that I did not consider the coverage adequate, nor a closure to the issue.
I plan on pushing HARD for them to pay for lifetime credit monitoring service after their repeated screwups. They made me vulnerable, therefore should monitor for the consequences for the duration of the vulnerability - essentially as long as the information is valuable. Unless there is a seismic shift, the SSN loss from the earlier breach is a lifetime vulnerability which they are directly responsible for causing.
Reply to this
There is some speculation that this could have been an inside job.
"This has all the signs of an inside job," Phil Neray, vice president of marketing at Guardium, told SCMagazineUS.com. "I would say it's highly likely that is was done by a privileged administrator within Ameritrade." - Article at SC Magazine.
Reply to this
Oh boy. This didn't take long! A class action lawsuit is already underway.
According to the InformationWeek article titled Attorney Alleges Ameritrade Knew Of Security Breach A Year Ago:
"Scott Kamber of Kamber & Associates, a New York law firm that sued Sony BMG last year for its use of a rootkit, told InformationWeek on Monday that the lawsuit initially claimed that Ameritrade knew about the data breach last November. However, he says he now has information that the company knew about the ongoing breach a full year ago."
Another rich attorney gets more rich. Victims might get a dollar or two.
Reply to this
An official copy of the New Hampshire Breach notification to the State Attorney General is at http://doj.nh.gov/consumer/pdf/Ameritrade.pdf
Also included is a copy of the official customer notification letter.
These provide some additional details.
Reply to this
TDAmertirade has been covering up for years. The CSO spends more time hiding information than addressing it. Just take a look at their internal audit findings, emails documenting such findings as using easily guessable or default passwords for server/applications passwords. In the last instance, the person who sent this email was told by the CSO to never do that again because such emails could be supoenaed by the SEC. BTW, the spam issue was an old issue that existed on the Ameritrade site and it was never fixed and is now used as the TD Ameritrade site. Amazing! Dedication at its finest. You need to dig more into the CSO, Bill Edwards, and his confidant, Renee Capelle.
Reply to this
Well that's the way spammers get your email address to send those "enlarge" messages.
Reply to this
When I hear that such things happen I think that one day the police will come to my door and arrest me for something that I haven't done, but maybe it is just my imagination.
Reply to this
This news from The Chicago Tribune:
"TD Ameritrade close to settling data theft lawsuit", Source: http://www.chicagotribune.com/business/sns-ap-broker-data-theft,0,7642693.story
Reply to this
frigidaire parts, you wrote:
"TDAmertirade has been covering up for years... look at their internal audit findings, emails documenting such findings as using easily guessable or default passwords for server/applications passwords. ..."
Please contact me via my website, or my attornies at Public Citizen (citizen.org), "frigidaire parts"!
I'd like to verify this info.
See especially http://caringaboutsecurity.wordpress.com/2008/08/20/whistleblower
Reply to this