Ameritrade customer database hacked and contact information stolen

(18/09/2007)

TD Ameritrade, the US stock brokerage admitted late Friday that its customer database had been hacked and contact information stolen on more than 6.3 million customers.

Ameritrade apparently had known about the problem since May of this year, when two customers sued the firm, claiming they were receiving unwanted ads on email accounts used solely for stock trading with the online brokerage.

The firm is reported to be co-operating with the FBI, the US Securities and Exchange Commission and several other key agencies.

Ameritrade, which was forced to disclose this data breach under US state law, has assured customers that their username IDs, personal identification numbers, passwords, date of birth details and Social Security Numbers were not accessed by the hackers, but it has apologised for the unwanted spam that the capture of these millions of email addresses is likely to generate.

However, the disclosure of email addresses alone can be used to exploit internet users out of their hard earned cash. A database of 6.3 million targeted email addresses is likely to be a valuable commodity in the computer underground, and details may be sold on between criminal groups for use in multiple ways.

Calum Macleod, European director with Cyber-Ark, the data vaulting and encrypted company information specialist, said he was incredulous when he heard that online brokerage Ameritrade's 6.3 million - plus customer database, had been hacked.

"This could turn out to be the largest systems hack in terms of customer numbers yet seen in the online marketplace," said Macleod, adding that some unconfirmed reports suggest it is only the contact information that has been stolen, and not personal data such as Social Security numbers. This suggests to me that the theft is related to business espionage rather than out-and-out fraud, as such."

"If the plaintiff claims that the Ameritrade database has been vulnerable to hacker attacks since last October are substantiated, then they will have a lot of explaining to do," added Macleod. "Whatever the outcome of the lawsuit(s), this is a classic case of what can happen when a company fails to encrypt its customer database. The damage to a company's reputation can often be worse than the payouts that result from successful lawsuits," he added.

Hackers are already trying to exploit these stolen addresses for commercial gain, with a phishing campaign, in which cybercriminals try to coax recipients to a spoof TD Ameritrade site in an attempt to capture user IDs and passwords.

"Hackers are now in possession of 6.3 million email addresses for people that they know are interested in trading shares. This knowledge alone could spur the creation of highly targeted spam emails, such as 'pump and dump' campaigns which offer bogus share tips to artificially boost stock prices. We've already spotted 'spear-phishing' campaigns where criminals send emails posing as TD Ameritrade in order to extract additional personal information," said Graham Cluley, senior technology consultant, Sophos.

"TD Ameritrade customers the world over should be extra vigilant when responding to emails which appear to come from the company and should immediately check to ensure that their accounts haven't been fiddled with. They should also change their passwords and run an anti-virus check to make sure their own computers haven't been compromised."

"A current and authenticated email address is a prized possession in the criminal underworld; it's the first piece of the jigsaw needed to build up a user identity that a hacker can adopt in order to access online retail or bank accounts," continued Cluley.

"While TD Ameritrade has gone to great lengths to reassure customers that this breach hasn't led to any ID theft, no one should underestimate just how wily hackers can be in order to extort confidential information from unsuspecting victims."

All companies should learn from TD Ameritrade's misfortune and ensure they have proper defences in place to reduce the risk of hackers breaking in and stealing data.

"Most companies these days understand the value of up-to-date anti-virus, firewalls and security patches - but it may be time for more firms to recognise the value of a Network Access Control solution which helps ensure that the corporate security policy is being adhered to by every PC connecting to the network," explained Cluley.

"If you can't be sure that computers attached to your network aren't vulnerable, then you could be at risk of customer data leakage, and heading for the same PR nightmare that TD Ameritrade is now facing."

Related topics:  Authentication and identity management   Crime and Fraud Prevention   Data management and data security   Hacking and intrusion prevention 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources