E-mails obtained by Network World show that Ameritrade received explicit and repeated warnings from an IT security expert starting Jan. 9, 2006 that its customer data had apparently been compromised, placing the start of the breach much earlier than previously reported and likely pushing it into 2005. Nevertheless, the company insisted for the next 20 months that a flood of stock-related spam being received by numerous clients was not indicative of a more serious problem.
Following that January 2006 e-mail, subsequent warnings from multiple sources - including a column this May by my Network World colleague Mark Gibbs - also failed to prompt the company to alert its clients. Only last Friday did Ameritrade publicly acknowledge that "unauthorized code" on its systems had "allowed certain information stored in one of our databases, including e-mail addresses, to be retrieved by an external source."
More than 6 million customer accounts were exposed, although Ameritrade contends there has been no known identity fraud associated with the breach.
"I warned Ameritrade of a security breach in January of 2006, which means that it likely occurred in mid- to late-2005," says Joshua Fritsch, who sent the Jan. 9, 2006 e-mail and provided copies of his exchange with Ameritrade to Network World. Fritsch has 15 years of experience in networking, including "security design and management for a global financial firm."
Ameritrade stands by its decision to hold off on an earlier public notification.
"We didn't know how the information was getting out," company spokeswoman Kim Hillyer told me this morning. "We didn't know the scope of the issue."
Asked if prudence might have suggested an earlier alert - given the number of sources and the expertise of those warning the company, coupled with all the internal uncertainty - Hillyer fell back on her talking points and insisted there was nothing more they could have done.
The company is already being sued over the spam deluge, and can certainly expect to hear from more lawyers.
While Fritsch does not have a copy of the first e-mail he sent to Ameritrade - it was submitted via a Web form and not copied back to him - he told me that it went like this: "I created firstname.lastname@example.org just for use with your company, and it was never distributed anywhere else. Thus, your database has been compromised either by a hacker, or one of your employees selling the data."
Here's what he got back from Ameritrade, dated Jan. 9, 2006:
The Spam e-mail you are receiving is not a result of Ameritrade sharing or selling any contact information, nor do we believe any information has been compromised. The cornerstone of our Privacy Statement is the commitment to keep our clients personal information confidential. ...
Several Spam methods do not depend on using purchased or intercepted lists of existing or valid e-mail accounts. Spammers also use known "brute forcing" or dictionary techniques. Brute forcing e-mails basically starts with something like email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com and continues on from there. Brute forcing basically generates and sends out an e-mail to every possible combination of characters/e-mail addresses at any given domain. A dictionary e-mail Spam basically uses all of the words that would be included in a dictionary or combinations of words which generally produce quite a few valid e-mail accounts. This type of method would not be inhibited by using a separate e-mail address for each business account you may have.
We have no reason to believe that any of our systems have been compromised. Ameritrade deploys state of the art firewalls, intrusion detection, anti-virus software as well as employs a full time staff of employees dedicated strictly to Information Security and protecting Ameritrade's systems from unauthorized access.
Don't you just love the idea of a customer service rep giving an security expert a lesson about spam and IT staffing? Anyway, Fritsch tried again: "I suggest you review the security of your customer data. I and the man who hosts the receiving e-mail server are both computer and network security specialists and if a full-blown dictionary spam attempt had been made the source would have been cut off long before it got to the combination of "ameritrade".
This time the rep at least had enough sense to break from the script and boot this one upstairs.
We take the security of our client data very seriously. I have forwarded your notes to our Management Team.
While Ameritrade insists that it was working diligently - and hiring specialists - to stem the flow of spam, all of those efforts proved ineffective until recently ... and customers remained in the dark.
In August 2006, Fritsch tried again to warn Ameritrade - via e-mail and telephone - this time providing samples of the spam that was hitting his Ameritrade-only account. At this point it's clear that the matter has Ameritrade's attention, even if the company was not sharing those concerns with its client base.
Dear Joshua Fritsch:
Thank you for reporting that you received spam e-mail at an e-mail address you use with TD AMERITRADE.
We take your privacy very seriously, and are conducting a thorough investigation into this matter.
If you haven?t already, we would appreciate it if you would reply to this message and provide the following:
The date the e-mail was received
The address the spam was sent to (your e-mail address)
The e-mail source (the ?from? address)
Whether this was the first occurrence
We sincerely appreciate your cooperation and patience as we work to get to the source of this.
Fritsch had already sent what they were asking for, but he sent more, just to be helpful.
Finally, near the end of August - again, this is 2006 - Fritsch received this e-mail from Ameritrade:
We have received many headers from various client reports. At this time there is no need to continue to forward this information to TD AMERITRADE. We appreciate your cooperation in our investigation.
And another full year would pass before 6.2 million Ameritrade customers would learn that all that spam they had been getting was more than just spam.
Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.
Fire, smoke, raw sewage, and, hey, do you smell gas? Yup, Verizon's here again.
The next 5 items that Google might buy from NASA.
The 7 Wonders of the Internet ... A Buzzblog community creation.
E-mail etiquette question: Thanks or no thanks? Vote in our poll, too.