Ameritrade Security Audit Finds Privacy-Busting Back Door

RalphTheWonderLlama writes "In recent months, online stock brokers have apparently been upset by the sale of their email addresses to spammers. Today TD Ameritrade released details of their investigation into the matter (along with a video message from the CEO and special FAQ). It seems some 'unauthorized code' had exposed client email addresses and possibly other sensitive information from an internal database. 'TD Ameritrade tracked down the break-in while doing an internal investigation into stock-related spam. The company called in forensic investigators and they discovered "unauthorized code" in their system that provided access for the hacker or hackers. According to the advisory, the code has been eliminated from the system. Moglia, speaking in an online video-taped message to customers, said he is "confident" that they have figured out how the information was taken.'"

Unacceptable

[mkraft]

As a TD Ameritrade account holder I find this unacceptable. Not only do they have unauthorized code running on their local systems with access to customers social security numbers and the like, but they don't even tell their customers when this happens other than issuing a generic press release in which they say they think the hackers only got email addresses despite the fact that the data base the hackers had access to also had birth dates, social security numbers and everything else necessary to steal account holders' identities.

How does unauthorized code even get into a financial institutions systems? The banking systems should never be accessible via public networks, only private ones, so this should never have happened.

What exactly is TD Ameritrade doing about this? TD Ameritrade should at least give it's customers free credit monitoring.

Press Release Doesn't Tell the Whole Story

[Ethan+Preston]

I am a class action attorney. My law firm and I sued Ameritrade over failing to disclose the security breach on May 31, 2007. We filed for a preliminary injunction on July 10, 2007. Part of the relief we sought for the accountholders in the preliminary injunction was a disclosure of this information.

In sum, this Motion seeks an Order from this Court against TD AMERITRADE, Inc. that: ... 8. Requires TD AMERITRADE, Inc. to prominently disclose in its Privacy Statement and in emails or other individual disclosures to its accountholders: ALERT: AMERITRADE'S INFORMATION SYSTEMS ARE NOT NECESSARILY SECURE AND WE CANNOT ASSURE THE SECURITY OF YOUR PERSONAL INFORMATION. THERE IS EVIDENCE THAT SOME ACCOUNTHOLDERS' EMAIL ADDRESSES HAVE LEAKED FROM AMERITRADE'S COMPUTER SYSTEMS TO SPAMMERS. AMERITRADE HAS AN ONGOING INVESTIGATION INTO THIS SITUATION. YOUR NAME, SOCIAL SECURITY NUMBER, AND YOUR EMAIL ADDRESS MAY HAVE BEEN LEAKED AS WELL. We recommend that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. Call any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. All three credit reports will be sent to you, free of charge, for your review. You can contact Equifax (800-685-1111), Experian (888-397-3742), or TransUnionCorp (800-680-7289). Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Victim information sometimes is held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly. If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call [insert contact information for law enforcement] and file a police report. Get a copy of the report; many creditors want the information it contains to absolve you of the fraudulent debts. You also should file a complaint with the FTC at www.consumer.gov/idtheft or at 1-877-ID-THEFT (877-438-4338). Your complaint will be added to the FTC's Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations. You can obtain a copy of Take Charge: Fighting Back Against Identity Theft, a comprehensive guide from the FTC to help you guard against and deal with identity theft at: http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.htm