TD Ameritrade Holding Corporation, an online brokerage company, said one of its databases was hacked into and the personal information for more than 6.3 million customers was stolen. The company found malicious code in one of its databases.
However, the firm said that Social Security numbers and account numbers were not taken. Ameritrade started notifying its customers about the data theft September 14, and posted information about the event on its corporate Web site.
“While the financial assets our clients hold with us were never touched, and there is no evidence that our clients’ Social Security numbers were taken, we understand that this issue has increased unwanted spam, which is annoying and inconvenient for them,” said Joe Moglia, CEO of Ameritrade in a statement.
Omaha, NE-based TD Ameritrade gave no details regarding the investigation, and did not reveal when the hacking occurred in its statement. The firm did not respond to DM News inquiries about the breach.
The company did say that it commissioned ID Analytics, a provider of services to prevent identity theft, to help with the investigation.
Results of their combined efforts reveal that client assets held in accounts with the company remain secure. No user identification numbers, personal identification numbers or passwords were stored in the compromised database. Information such as e-mail addresses, names, addresses and phone numbers were mined from this database, affecting both retail and institutional clients.
While more sensitive information, such as account numbers, date of birth and Social Security numbers, is stored in this database, the company said there is no evidence that it was taken.
Ameritrade has not revealed when it was first made aware of the breach. In May 2006, Ameritrade was sued in a California district court by two of its customers, who were receiving marketing solicitations via e-mail on accounts used only for Ameritrade. The case is still pending.
One of the plaintiffs, Matthew Elvey, claims he created his e-mail account specifically for use with Ameritrade. Elvey says based on the e-mail received at that account, he became suspicious his privacy had been compromised.
Elvey also claims that in October 2006 he moved his Ameritrade account to a new e-mail account that was on a different machine. This new account began to receive spam as well, according to Elvey. A company called Gadgetwiz Inc., a provider of e-mail addresses, is also a plaintiff in the suit.
At the time the suit was filed, the plaintiffs sought damages along with a court order for Ameritrade to tell its customers about the data problem. Ameritrade issued its release about a data breach before a final decision from the court.
“The TD Ameritrade incident brings home the point that unauthorized code-based access to databases remains one of the major methods for data theft,” said Prat Moghe, CTO and founder of Tizor, a database security provider, based in Maynard, MA.
“If databases are not monitored for all activity, there is no easy way to catch such rogue code access. You can’t protect against what you can’t see.”
Moghe said that there have been about 300 reported data breaches since 2005, according to Privacy Rights Clearinghouse data.
“This is an escalating problem. Any organization with sensitive consumer data is at risk – whether thieves use data like SSNs for identity theft, or names and e-mail for phishing schemes,” Moghe said.
He advised serveral tactics for careful data control and potential theft monitering.
“To avoid being in this situation – public disclosure, brand damage, customer trust damage, legal issues, fines – there are four steps that I would suggest,” Moghe told DM News.
“Know where all of your sensitive data is located [through] data discovery. Have good records, [and] a trail of when and how data may have been exposed. Lastly, have a real-time alerting system in place – so you know when something is going wrong.” n
