« Home | MontaVista Vision 2007 DevCon » | Xynergi from Fairlight » | Around the Web » | How Not to Implement Serialization in C++ » | Free Dr. Dobbs Journal and MSDN Magazines » | Dealing with C++ "Unused Parameter" Warnings » | PayPal Subscriptions Outage Finally Resolved » | Web Based Power Point Presentations » | A New DUNS Number » | [YouTube] Mindstorms Autofabrik »

TD Ameritrade Hacked.

I just received this email from TD Ameritrade (below) and I'm fuming mad.   Let me parse and summarize the email I recieved:  Someone breached TD Ameritrade's security, and left behind some "unauthorized code," and made off with social security numbers, email addresses, ACH account numbers, and more. 
 
Interestingly enough, I found a postings from 2006 which suggest that this has been going on for more than a year (here too), before they caught on and disclosed the problem.  They have denied the problem or blamed it as an "industry wide problem".  
 
Dear Joe Turner,

Let me tell you why I am sending you this email. While investigating client reports about the industry-wide issue of investment-related SPAM, we recently discovered and eliminated unauthorized code from our systems. This code allowed certain client information stored in one of our databases, including email addresses, to be retrieved by an external source.

Please be assured that UserIDs and passwords are not included in this database, and we can confirm that your assets remain secure at TD AMERITRADE.

What we want you to know:
  • Once we discovered the unauthorized code, we took immediate action to eliminate it. We are confident that we have identified the means by which the information was accessed and have taken appropriate steps to prevent this from reoccurring.
  • You continue to be covered by our Asset Protection Guarantee, which protects you and your assets from any unauthorized activity that may occur in your account through no fault of your own. If you lose cash or securities as a result of such activity, we will reimburse you for the cash or shares of securities you lost.
While Social Security Numbers are stored in this particular database, we have no evidence to establish that they were retrieved or used to commit identity theft. To further protect you, we have hired ID Analytics, which specializes in identity risk, to investigate and monitor potential identity theft. ID Analytics provides identity risk services to many of the country's largest banks and telecommunication companies, as well as government agencies. Following its initial evaluation, ID Analytics found no evidence of identity theft as a result of this data breach. We will retain its services on an ongoing basis to support your TD AMERITRADE accounts and to monitor for evidence of identity theft. We will alert and advise you if any is found. As always, we encourage you to remain alert in guarding your personal information, regularly review your account statements and monitor your credit activity from the major reporting agencies.

For more information on protecting yourself against the possibility of security threats, please visit our online Security Center.

We sincerely apologize to you for this situation and want to assure you that protecting the security and privacy of your assets and information remains a top priority. We have made and will continue to make significant investments in security software, systems and procedures, and we will remain vigilant about protecting you.

We want to answer any questions and address any concerns that you may have about this matter. For more information, including a list of Frequently Asked Questions (FAQs) and an additional message from me, please go to www.amtd.com or contact Client Services. Please note that we are anticipating increased call volume during this period, which may lead to long wait times. We encourage you to review the FAQs and, if you have a question, to log on to your account and send us a secure email. Once again, please be assured that your assets are secure at TD AMERITRADE.

Sincerely,
[image]
Joe Moglia
CEO
TD AMERITRADE

Labels:

Posted by Joe Turner on Friday, September 14, 2007 at 10:50 AM |

Lets see.... TDAmeritrade customer email addresses were stolen from the same database that contains my name, address, SSN, birth date, ACH and other sensitive information. But I am supposed to believe TDAmeritrade that the only thing stolen was the least valuable bit of information accessible?

The most astonishing thing to me is that the SSN's are contained in any database connected to the internet. That access is absolutely not necessary in the conduct of online trading. These guys must be complete idiots when it comes to security.

Posted by Anonymous Anonymous | September 14, 2007 11:03 PM  

This website seems to think that email is one of the many phishing for personal bank or investment information. I didn't check but it says the links in the email go to phishing websites that look authentic but really just harvest your login information.

http://phishingscams.myofb.net/2007/09/td-ameritrade-email-privacy-leak.html

Posted by Anonymous Anonymous | September 21, 2007 7:32 PM  

The email I got was legit. When I mouse over the hyperlinks in the email the URL in the status bar points back to td ameritrade.

Posted by Blogger Joe Turner | September 21, 2007 10:38 PM  

the problem of TDAmeri is that they always think their clients are doing something wrong, and it is always their clients to be the ones to blame. now they are themselves in the Hall of Shame, fair guess is that they won't change a bit.

my suggestion is whenever investors have more than 25 grand in their position , open an account with Bank of America, it is the No.Two bank so the security is not on the amateur level.and clients with more than 25 grand can trade 30 times free in each month. Of course you should be U.S. resident to apply.

btw, to Joe, don't take the hyperlink for so much granted, hackers can do a lot of things to the tail part of the link. my suggestion is --- do not click any link of any email, and shut the display of picture if possible. if you really want to go the specific url, type it yourself, I mean every time ,type it.

Posted by Anonymous Bill | September 29, 2007 12:45 AM  

Post a Comment