TD Ameritrade was warned of possible data breach months ago

Computerworld - The data breach that exposed the names and contact information of the more than 6.2 million customers of TD Ameritrade Holding Corp. may have occurred as far back as a year ago -- and possibly even earlier than that.

For at least part of that time, the company was aware of the possibility of such a breach because of complaints about stock-related spam that its customers were receiving. Even so, it did not notify customers about the potential compromise until it was forced to do so, according to Scott Kamber, a lawyer who filed a spam-related class action law suit against TD Ameritrade in May. The breach was not acknowledged publicly by TD Ameritrade until last Friday.

"It is really important for people to understand they were not doing this because they are a model corporate citizen," Kamber said. "They are doing this because they were caught with their pants down."

TD Ameritrade said that the names, addresses, phone numbers and "miscellaneous trading" information of potentially all of its retail and institutional customers had been compromised by an intrusion into one of its databases. But Social Security numbers, account numbers and dates of birth, all of which were stored in the same hacked database, appear to have been left untouched, the company said.

Kim Hillyer, a spokeswoman for Ameritrade, this morning stressed that the intrusion was discovered about two weeks ago during an internal investigation into stock-related spam reported by customers. "As soon as we discovered it, stopped it and gathered enough information to notify our clients about the matter, we did so," Hillyer said.

According to Kamber, however, Ameritrade has known about the problem at least since October 2006, when some customers began complaining to the company about receiving stock-related spam. That led to the lawsuit by Kamber & Associates LLC in U.S. District Court for the Northern District of California. The complaint alleged that Ameritrade's unintentional or intentional disclosure of its account holders' private e-mail addresses resulted in their receiving stock spam. The suit raised the possibility that Ameritrade was the victim of a security breach involving a customer database that might have also contained Social Security numbers and other sensitive data.

The class-action suit was brought on behalf of Ameritrade account holders in California as well as Internet access providers that received spam sent to the e-mail addresses of Ameritrade account holders.

In August, a motion seeking a preliminary injunction against TD Ameritrade was filed. That injunction would have resulted in the following:

• Required Ameritrade to notify customers that account holder information had been exposed in a manner inconsistent with the company's privacy policy.
• Required Ameritrade to correct any security issues that might allow client contact information to be exposed.
• Ordered Ameritrade to alert customers when they were about to buy or sell stocks being touted by the spam e-mail.
• Stopped Ameritrade from destroying evidence by telling customers who complained of stock spam to delete it from their systems.