Attorney Alleges Ameritrade Knew Of Security Breach A Year Ago
Ameritrade says while they investigated the break-in, they unwittingly kept putting user information in the breached database. Nearly all 6.3 million accounts were compromised.
An attorney launching a class-action lawsuit against TD Ameritrade Holding alleges the online brokerage knew a hacker had access to a customer database as far back as a year ago.
Last Friday, Ameritrade e-mailed account holders and put a public advisory on its Web site alerting users that a hacker broke into one of its databases and stole personally identifying information for some of its 6.3 million customers. The company said names, e-mail addresses, phone numbers, and home addresses were taken in the data breach. Client assets, along with user IDs, personal identification numbers, and passwords, were not stored in the compromised database.
However, the advisory noted that it's unclear if account numbers, dates of birth, and Social Security numbers were stolen. Ameritrade did not say when the hackers got into the database or how long they remained there.
Kim Hillyer, a spokeswoman for Ameritrade, said in an interview that all of the company's 6.3 million accounts that were opened before July 18 of this year were breached. She would not say when the company first learned that there had been a breach, only offering that "they had been investigating client reports of spam for some time."
She said in the last few weeks they discovered that malicious code had been embedded in the system. She would not say what part of the system was infected or what kind of code it was. "We have been working with forensics," she said. "They said they've never seen it before."
Hillyer also said that while the investigation was ongoing, as new customers came on board, the company put their information in the compromised database. "We didn't know what the cause of the leak was," she added. "Anyone who opened an account after July 18, though, was not affected by this."
Scott Kamber of Kamber & Associates, a New York law firm that sued Sony BMG last year for its use of a rootkit, told InformationWeek on Monday that the lawsuit initially claimed that Ameritrade knew about the data breach last November. However, he says he now has information that the company knew about the ongoing breach a full year ago.
Kamber, who filed the suit this past May, had recently filed a preliminary injunction asking the court to compel Ameritrade to disclose the data breach and the compromised information to current and prospective customers. The company was given a two-week adjournment and made the public announcement during that recess.
"I am glad customers finally know of the compromise of their personal information," said Kamber. "I'm not pleased it took the company so long to do that."
Hillyer said she could not comment on ongoing litigation but said, "As soon as we discovered it, we stopped it. And as soon as we had gathered enough information, we notified our clients."
Ameritrade notified the FBI and the U.S. Securities and Exchange Commission last week, according to the spokeswoman.
Ameritrade tracked down the break-in while doing an internal investigation into stock-related spam. The company called in forensic investigators and they discovered "unauthorized code" in their system that provided access for the hacker or hackers. According to the advisory, the code has been eliminated from the system.
Kamber alleges one of the two Ameritrade customers represented in the lawsuit gave the company his e-mail address last October and began receiving pump-and-dump spam the next month. That same customer then asked Ameritrade to change his e-mail address in February and received the same kind of spam soon after the change was made.
"Ameritrade knew of a compromise to customer information and they chose not to disclose it until they found out how it happened," added Kamber. "It was Ameritrade's customers' right to know their information had been compromised. It sets a dangerous precedent for companies to wait a year to disclose that people's information was compromised."
Security company Sophos is warning Ameritrade users to be on "red alert" against targeted spam attacks. The company's researchers reported in an online alert that they have spotted hackers trying to exploit the stolen Ameritrade e-mail addresses, using them to lure users to a spoofed Ameritrade site in an attempt to capture user IDs and passwords.
Sophos also noted that a database of 6.3 million targeted e-mail addresses is likely to be a valuable commodity in the computer underground, and the information may be sold between criminal groups for multiple uses.
"A current and authenticated e-mail address is a prized possession in the criminal underworld. It's the first piece of the jigsaw needed to build up a user identity that a hacker can adopt in order to access online retail or bank accounts," said Graham Cluley, a Sophos senior technology consultant, in a written statement. "While TD Ameritrade has gone to great lengths to reassure customers that this breach hasn't led to any ID theft, no one should underestimate just how wily hackers can be in order to extort confidential information from unsuspecting victims."
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Join us for a roundup of the top stories on InformationWeek.com for the week of April 24, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week!