Complain about a product or service

Hackers Steal Information On 6.3 Million Ameritrade Customers

'Unauthorized code' enabled thieves to breach database

by Martin H. Bosworth
ConsumerAffairs.com

September 15, 2007

The information stolen included names, phone numbers, e-mail accounts, and addresses.

Although more sensitive information such as Social Security numbers and account numbers were included in the same database, Ameritrade claimed this information had not been breached, though it did not offer specifics.

"[Ameritrade] has discovered and eliminated unauthorized code from its systems that allowed access to an internal database," the company said in its statement. "The discovery was made as the result of an internal investigation of stock-related SPAM."

The 6.3 million customers comprises the vast majority of Ameritrade's client base, second only to Charles Schwab Corp., the biggest online discount brokerage.

"While the financial assets our clients hold with us were never touched, and there is no evidence that our clients' Social Security Numbers were taken, we understand that this issue has increased unwanted spam, which is annoying and inconvenient for them," said Joe Moglia, chief executive officer. "We sincerely apologize for that and any added concern this may have caused."

Ameritrade said there was no evidence that the information was being used for identity theft. The company hired security firm ID Analytics to perform forensics on the breach and investigate for signs of fraud or theft stemming from misuse of the information.

Although ID Analytics' chief operating officer Mike Cook said the investigation found no initial evidence of identity theft, the company would continue investigating signs that the stolen information may be used elsewhere.

"Just because a breached file is not misused today, it doesn't mean that it won't be misused in the future," Cook said, according to published reports.

Ameritrade claimed that the malicious code had been removed and that the company's security procedures had been upgraded to prevent similar incidents. The FBI and the Securities & Exchange Commission are also investigating the breach.

The Spam Trail

Ameritrade customers were apparently receiving spam e-mails touting pump-and-dump scams to their accounts for many months prior to the disclosure of the breach. Blogs and online forums such as Slashdot were filled with stories of Ameritrade customers receiving unsolicited e-mails, despite creating and using e-mail accounts solely for use with the online broker.

The spam e-mails were originally thought to be a result of the loss of a data tape containing information on 200,000 Ameritrade customers in April 2005, with speculation that the data may have been sold to hackers and spammers.

But bloggers and Ameritrade customers then reported being hit with spam blasts even after creating accounts subsequent to the 2005 breach.

"So it's pretty clear that some attacker has access to the AmeriTrade customer database on an ongoing basis, and the February 2005 tape theft probably had nothing to do with it," wrote one commenter on Slashdot. "Probably someone inside AmeriTrade is selling customer data to an outside spammer."

The "inside job" theory has new support in the wake of the disclosure of the breach.

Graham Cluely of IT security firm Sophos told CNet News that the breach could have only occurred if hackers took advantage of a vulnerability in the site's code--the story promoted by Ameritrade--or if someone had used a Trojan Horse virus to exploit the vulnerability from the inside.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |