Names, contact info on 6M TD Ameritrade customers compromised

Computerworld - Brokerage firm TD Ameritrade Holding Corp. today disclosed that the names, addresses, phone numbers and "miscellaneous trading" information of potentially all of its more than 6 million retail and institutional customers have been compromised by an intrusion into one of its databases.

But Social Security numbers, account numbers and dates of birth, all of which were stored in the same hacked database, appear to have been left untouched, the company said today.

The intrusion was discovered during an internal investigation into stock-related spam being reported by TD Ameritrade customers, said Kim Hillyer, a company spokeswoman. According to Hillyer, the investigation revealed the presence of unauthorized code, which has since been removed, on a database containing customer information.

TD Ameritrade has hired fraud detection firm ID Analytics Inc. to investigate the compromise and to help monitor for fraud, she said. So far, neither TD Ameritrade nor ID Analytics has been able to unearth any evidence to show that the information was accessed for any reason other than to send spam, she said.

"We do apologize for that and we do understand there may be added concern" for customers because of the incident, she said.

In a statement, company CEO Joe Moglia apologized for the breach, but tried to downplay its impact. "While the financial assets our clients hold with us were never touched, and there is no evidence that our clients' Social Security numbers were taken, we understand that this issue has increased unwanted spam, which is annoying and inconvenient for them," Moglia said. "We sincerely apologize for that and any added concern this may have caused."

The statement also informed customers that no "special actions" were required of them with regard to their accounts as a result of the breach.

The company will start notifying all its customers via postal and e-mail over the next few days, Hillyer said.

Robert Ellis, an analyst at Celent, a Boston-based financial research firm, called the breach a "particularly egregious and scary" one.

"The idea that someone could hack into TD Ameritrade's system sufficiently to extract contact information such as phone numbers, e-mail and home addresses, and to bury the code so deeply that the breach was only noted after phishers attempted to utilize the data is quite alarming," he said. "Either the contact information was behind a less-strong level of security, or TD Ameritrade dodged a major bullet."

Read more about security in Computerworld's Security Knowledge Center.