E-mails obtained by Network World show that Ameritrade received explicit and repeated warnings from an IT security expert starting Jan. 9, 2006 that its customer data had apparently been compromised, placing the start of the breach much earlier than previously reported and likely pushing it into 2005. Nevertheless, the company insisted for the next 20 months that a flood of stock-related spam being received by numerous clients was not indicative of a more serious problem.
Following that January 2006 e-mail, subsequent warnings from multiple sources - including a column this May by my Network World colleague Mark Gibbs - also failed to prompt the company to alert its clients. Only last Friday did Ameritrade publicly acknowledge that "unauthorized code" on its systems had "allowed certain information stored in one of our databases, including e-mail addresses, to be retrieved by an external source."
More than 6 million customer accounts were exposed, although Ameritrade contends there has been no known identity fraud associated with the breach.
"I warned Ameritrade of a security breach in January of 2006, which means that it likely occurred in mid- to late-2005," says Joshua Fritsch, who sent the Jan. 9, 2006 e-mail and provided copies of his exchange with Ameritrade to Network World. Fritsch has 15 years of experience in networking, including "security design and management for a global financial firm."
Ameritrade stands by its decision to hold off on an earlier public notification.
"We didn't know how the information was getting out," company spokeswoman Kim Hillyer told me this morning. "We didn't know the scope of the issue."
Asked if prudence might have suggested an earlier alert - given the number of sources and the expertise of those warning the company, coupled with all the internal uncertainty - Hillyer fell back on her talking points and insisted there was nothing more they could have done.
The company is already being sued over the spam deluge, and can certainly expect to hear from more lawyers.
While Fritsch does not have a copy of the first e-mail he sent to Ameritrade - it was submitted via a Web form and not copied back to him - he told me that it went like this: "I created just for use with your company, and it was never distributed anywhere else. Thus, your database has been compromised either by a hacker, or one of your employees selling the data."
Here's what he got back from Ameritrade, dated Jan. 9, 2006:
Mr. Fritsch,
The Spam e-mail you are receiving is not a result of Ameritrade sharing or selling any contact information, nor do we believe any information has been compromised. The cornerstone of our Privacy Statement is the commitment to keep our clients personal information confidential. ...
Several Spam methods do not depend on using purchased or intercepted lists of existing or valid e-mail accounts. Spammers also use known "brute forcing" or dictionary techniques. Brute forcing e-mails basically starts with something like , , , , and continues on from there. Brute forcing basically generates and sends out an e-mail to every possible combination of characters/e-mail addresses at any given domain. A dictionary e-mail Spam basically uses all of the words that would be included in a dictionary or combinations of words which generally produce quite a few valid e-mail accounts. This type of method would not be inhibited by using a separate e-mail address for each business account you may have.
We have no reason to believe that any of our systems have been compromised. Ameritrade deploys state of the art firewalls, intrusion detection, anti-virus software as well as employs a full time staff of employees dedicated strictly to Information Security and protecting Ameritrade's systems from unauthorized access.
Don't you just love the idea of a customer service rep giving an security expert a lesson about spam and IT staffing? Anyway, Fritsch tried again: "I suggest you review the security of your customer data. I and the man who hosts the receiving e-mail server are both computer and network security specialists and if a full-blown dictionary spam attempt had been made the source would have been cut off long before it got to the combination of "ameritrade".
This time the rep at least had enough sense to break from the script and boot this one upstairs.
Mr. Fritsch,
We take the security of our client data very seriously. I have forwarded your notes to our Management Team.
While Ameritrade insists that it was working diligently - and hiring specialists - to stem the flow of spam, all of those efforts proved ineffective until recently ... and customers remained in the dark.
In August 2006, Fritsch tried again to warn Ameritrade - via e-mail and telephone - this time providing samples of the spam that was hitting his Ameritrade-only account. At this point it's clear that the matter has Ameritrade's attention, even if the company was not sharing those concerns with its client base.
Dear Joshua Fritsch:
Thank you for reporting that you received spam e-mail at an e-mail address you use with TD AMERITRADE.
We take your privacy very seriously, and are conducting a thorough investigation into this matter.
If you haven?t already, we would appreciate it if you would reply to this message and provide the following:
The date the e-mail was received
The address the spam was sent to (your e-mail address)
The e-mail source (the ?from? address)
Whether this was the first occurrence
We sincerely appreciate your cooperation and patience as we work to get to the source of this.
Fritsch had already sent what they were asking for, but he sent more, just to be helpful.
Finally, near the end of August - again, this is 2006 - Fritsch received this e-mail from Ameritrade:
Joshua Fritsch,
We have received many headers from various client reports. At this time there is no need to continue to forward this information to TD AMERITRADE. We appreciate your cooperation in our investigation.
And another full year would pass before 6.2 million Ameritrade customers would learn that all that spam they had been getting was more than just spam.
Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.
Fire, smoke, raw sewage, and, hey, do you smell gas? Yup, Verizon's here again.
The next 5 items that Google might buy from NASA.
'Hello, you have reached my iPhone.'
Rove resigning to spend more time with his iPhone.
The 7 Wonders of the Internet ... A Buzzblog community creation.
E-mail etiquette question: Thanks or no thanks? Vote in our poll, too.
When not blogging, I am a Network World news editor and write the 'Net Buzz column.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
TD Ameritrade Spam Leak
Great Article...
Do you know any of the details of joining the class action suit so that I can find out precisely what information has be revealed besides my email address? Thanks, Tom Saam
http://www.amtd.com/spam_faq.
http://www.amtd.com/spam_faq.cfm
Has a bit more details on what was taken:
What information was taken from the database, and who is affected?
This particular database included information on clients, accounts, demographics and trading activity.
We do know that information such as email addresses, names, addresses, phone numbers, and other miscellaneous account information, such as number of trades placed in a given time period was retrieved from this database and that this activity affected TD AMERITRADE retail and institutional clients who were clients prior to July 18.
While more sensitive information like account numbers, date of birth and Social Security Numbers was also stored in this particular database, we have no evidence that it was retrieved or used to commit identity theft. In fact, we have been able to conclude that this sensitive information belonging to our legacy TD Waterhouse retail and institutional clients was not retrieved.
Seems to me like damn near everything besides passwords. Maybe not exact trade history, but a summary of it. They claim they don't believe anything besides the email addresses were taken, unfortunately I think its quite possible they were taken, just only the email addresses were used. Meaning all that other data useful for identify theft is still leaked with a much higher risk it will get in the hands of someone who will use it for identify theft.
Ameritrade SPAM
The first SPAM that I really noticed from Ameritrade was in August '06. I, too, got the same "I'll kick it upstairs" reply. Nothing else happened. So I called and called and called. At first, they told me "everyone gets spam", but I had them look up my email address (which like Joshua Fritz had Ameritrade@..... so it was ONLY given to them!) Finally, someone called back and told me it was a 1-time problem with the company they used for outgoing emails. I had a hard time believing this. I asked if I should change my email address (since it was getting so much spam) and he said they were actually still looking into the problem (so was the initial response he gave me just a lie?!). He did call a few times to speak with me about this, but when we actually spoke again, there were no updates... just more spam. It seems they didn't really care about it - or everyone thought it was someone else's job!!
Thanks for the update here on Ameritrade & if there is anything I can do, please let me know!!