, SecurityFocus 2007-09-18
TD Ameritrade announced on Friday that a compromised computer at the company had leaked the e-mail addresses of potentially all its 6.3 million customers, but news of the breach came as no surprise to many tech-savvy customers.
Numerous account holders have complained to the brokerage for over a year that spammers were sending stock pump-and-dump messages to unique e-mail addresses provided only to TD Ameritrade, according to online forums. In June, a New York law firm filed a class-action lawsuit against the brokerage, charging that the company knew that e-mail addresses were leaking to spammers and failed to informed customers.
"They chose not to do anything for the past five months, even though they knew about the problems," said Scott Kamber, partner at Kamber & Associates, the firm that brought the lawsuit. "I would find it extremely surprising that the company had first learned about this from our complaint."
TD Ameritrade has had its share of a data breach problems. In 2005, the company informed customers that a backup tape containing information on as many as 200,000 customers had been lost by its backup-service provider. The company also revealed in October 2006 that intrusions into compromised accounts had caused approximately $4 million in lost revenue for the company.
On Friday, the firm notified customers that company had recently discovered code running on one of its systems that was responsible for a rash of pump-and-dump stock spam. TD Ameritrade stated that its investigation had found that customer accounts were not compromised and that no evidence suggested that more sensitive pieces of information -- such as date of birth and Social Security numbers -- were taken.
"Recently, we discovered the code on our systems; as soon as we discovered the code, stopped the code and gathered enough information about what the code had done, we notified our clients," TD Ameritrade spokeswoman Kim Hillyer told SecurityFocus in an e-mail interview. "That communication started taking place on Friday."
However, customers had informed the company of the spam issues as far back as July 2006, according to comments in online forums. One apparent customer wrote that an e-mail address unique to TD Ameritrade had received 36 e-mail messages in July 2006.
"As an Ameritrade customer, I am outraged that they let my data leak like this," the unidentified person wrote under the title "Inexcusable." "But I'm even more outraged that they are trying to bury the issue rather than admitting the breach."
In October 2006, San Francisco resident Matthew Elvey also assigned his TD Ameritrade brokerage account a unique e-mail address. A month later, spammers started sending stock scams to that very same address. Elvey repeated the experiment in February 2007 with another unique email address, setting up a separate hard drive and operating system on his computer to be certain that he was not responsible for leaking the data. By May, the San Francisco resident had received more than 80 stock pump-and-dump messages to that account.
Now, Elvey is one of the plaintiffs in the class action lawsuit brought be Kamber & Associates.
"If Ameritrade cannot secure its information systems, account holders cannot be sure that the funds and securities in their account(s) are safe from diversion," the lawsuit states. "If spammers can steal e-mail addresses from Ameritrade, they may also be able to divert funds."
The lawsuit alleges that, by not informing account holders, TD Ameritrade profited by signing up new customers that may have used a competitors service if they knew about the security breach. Moreover, the company had a further incentive, the lawsuit maintains, because any trades caused by the stock spam would gain the company a commission.
TD Ameritrade acknowledged that its investigation "has been going on for some time," but declined to comment on the lawsuit.
"Please know that we are still investigating this issue, and so as to not compromise the intelligence we have gathered thus far I cannot divulge specific information with regards to technology or timing," Hillyer stated.
Editor's note: The reporter owns an account at TD Ameritrade and received notification of the breach. The reporter has not, and will not, join any legal action against TD Ameritrade.
If you have tips or insights on this topic, please contact SecurityFocus.