Hackers Steal Information On 6.3 Million Ameritrade Customers
September 16, 2007
Hackers broke into a database containing personal information on 6.3 million customers of online discount broker Ameritrade. The database breach was discovered during an investigaiton of an outbreak of spam e-mails sent to Ameritrade customers.
The information stolen included names, phone numbers, e-mail accounts, and addresses.
Although more sensitive information such as Social Security numbers and account numbers were included in the same database, Ameritrade claimed this information had not been breached, though it did not offer specifics.
"Ameritrade has discovered and eliminated unauthorized code from its systems that allowed access to an internal database," the company said in its statement. "The discovery was made as the result of an internal investigation of stock-related SPAM."
The 6.3 million customers comprises the vast majority of Ameritrade's client base, second only to Charles Schwab Corp., the biggest online discount brokerage.
"While the financial assets our clients hold with us were never touched, and there is no evidence that our clients' Social Security Numbers were taken, we understand that this issue has increased unwanted spam, which is annoying and inconvenient for them," said Joe Moglia, chief executive officer. "We sincerely apologize for that and any added concern this may have caused."
Ameritrade said there was no evidence that the information was being used for identity theft. The company hired security firm ID Analytics to perform forensics on the breach and investigate for signs of fraud or theft stemming from misuse of the information.
Although ID Analytics' chief operating officer Mike Cook said the investigation found no initial evidence of identity theft, the company would continue investigating signs that the stolen information may be used elsewhere.
"Just because a breached file is not misused today, it doesn't mean that it won't be misused in the future," Cook said, according to published reports.
Ameritrade claimed that the malicious code had been removed and that the company's security procedures had been upgraded to prevent similar incidents. The FBI and the Securities & Exchange Commission are also investigating the breach.
The Spam Trail
Ameritrade customers were apparently receiving spam e-mails touting pump-and-dump scams to their accounts for many months prior to the disclosure of the breach. Blogs and online forums such as Slashdot were filled with stories of Ameritrade customers receiving unsolicited e-mails, despite creating and using e-mail accounts solely for use with the online broker.
The spam e-mails were originally thought to be a result of the loss of a data tape containing information on 200,000 Ameritrade customers in April 2005, with speculation that the data may have been sold to hackers and spammers.
But bloggers and Ameritrade customers then reported being hit with spam blasts even after creating accounts subsequent to the 2005 breach.
"So it's pretty clear that some attacker has access to the AmeriTrade customer database on an ongoing basis, and the February 2005 tape theft probably had nothing to do with it," wrote one commenter on Slashdot. "Probably someone inside AmeriTrade is selling customer data to an outside spammer."
The "inside job" theory has new support in the wake of the disclosure of the breach.
Graham Cluely of IT security firm Sophos told CNet News that the breach could have only occurred if hackers took advantage of a vulnerability in the site's code--the story promoted by Ameritrade--or if someone had used a Trojan Horse virus to exploit the vulnerability from the inside.
Author: Martin H. Bosworth