The data breach that exposed the names and contact information of the more than 6.2 million customers of TD Ameritrade Holding Corp. may have occurred as far back as a year ago -- and possibly even earlier than that.
For at least part of that time, the company was aware of the possibility of such a breach because of complaints about stock-related spam that its customers were receiving. Even so, it did not notify customers about the potential compromise until it was forced to do so, according to Scott Kamber, a lawyer who filed a spam-related class action law suit against TD Ameritrade in May. The breach was not acknowledged publicly by TD Ameritrade until last Friday.
"It is really important for people to understand they were not doing this because they are a model corporate citizen," Kamber said. "They are doing this because they were caught with their pants down."
TD Ameritrade said that the names, addresses, phone numbers and "miscellaneous trading" information of potentially all of its retail and institutional customers had been compromised by an intrusion into one of its databases. But Social Security numbers, account numbers and dates of birth, all of which were stored in the same hacked database, appear to have been left untouched, the company said.
Kim Hillyer, a spokeswoman for Ameritrade, this morning stressed that the intrusion was discovered about two weeks ago during an internal investigation into stock-related spam reported by customers. "As soon as we discovered it, stopped it and gathered enough information to notify our clients about the matter, we did so," Hillyer said.
According to Kamber, however, Ameritrade has known about the problem at least since October 2006, when some customers began complaining to the company about receiving stock-related spam. That led to the lawsuit by Kamber & Associates LLC in U.S. District Court for the Northern District of California. The complaint alleged that Ameritrade's unintentional or intentional disclosure of its account holders' private e-mail addresses resulted in their receiving stock spam. The suit raised the possibility that Ameritrade was the victim of a security breach involving a customer database that might have also contained Social Security numbers and other sensitive data.
The class-action suit was brought on behalf of Ameritrade account holders in California as well as Internet access providers that received spam sent to the e-mail addresses of Ameritrade account holders.
In August, a motion seeking a preliminary injunction against TD Ameritrade was filed. That injunction would have resulted in the following:
- Required Ameritrade to notify customers that account holder information had been exposed in a manner inconsistent with the company's privacy policy.
- Required Ameritrade to correct any security issues that might allow client contact information to be exposed.
- Ordered Ameritrade to alert customers when they were about to buy or sell stocks being touted by the spam e-mail.
- Stopped Ameritrade from destroying evidence by telling customers who complained of stock spam to delete it from their systems.
A hearing on the injunction had been set for Sept. 18, but TD Ameritrade last week reached an agreement with the court and the plaintiffs to adjourn that hearing for two weeks so the parties could discuss relevant issues. "Literally, after the court agreed to put it off for two weeks, they went out there and said they had found the problem," Kamber said. "I guess they wanted to break the story on their own. It demonstrates that their timing was dependent on convenience to the company rather than on the security needs of their customer."
The issue of when a company discovers a breach and how it responds is vital to establishing its liability for the breach, according to security analysts. For example, if a company knew that one of its databases might have been compromised but continued to put customer information into that database, the act could be construed as negligence or even intentional exposure of customer data.
On the other hand, if a company is breached and doesn't know about or discover the compromise for an extended period of time, that could raise questions about whether it had properly implemented security controls.
"We agree with TD Ameritrade that hacking can happen to any company out there," Kamber said. "But what sets apart the responsible corporate citizen from the irresponsible one is how they deal with it. TD Ameritrade waited till five months after the lawsuit was filed and one year after they learned about [the stock spam] to disclose a breach. The question becomes, why?"
Hillyer said she couldn't comment on issues related to pending litigation against the company. She also did not respond to Kamber's assertions that Ameritrade had been aware that its customers were being spammed as far back as a year ago.