September 14th, 2007

TD Ameritrade discovers database breach

Posted by Larry Dignan @ 6:59 am

Categories: E-commerce, General, Security, Web Technology

Tags: Database, Ameritrade Inc., Larry Dignan

Online broker TD Ameritrade said Friday that it has discovered a database breach that compromised customer accounts.

In a statement, TD Ameritrade said it “discovered and eliminated unauthorized code from its systems that allowed access to an internal database.” TD Ameritrade found the breach as it was investigating stock-related spam.

Disclosure: I have more than a passing interest in this since I’m a TD Ameritrade customer.

Here’s what TD Ameritrade’s analysis revealed:

• Assets are safe since user IDs, personal identification numbers and passwords were kept in a separate database;
• Email addresses, names, addresses and phone numbers were taken. This fact explains why TD Ameritrade was investigating a bunch of spam complaints;
• Account numbers, date of birth and Social Security numbers were in the breached database but not taken.

CEO Joe Moglia apologized for the unwanted spam and said there was “no evidence” that sensitive data was taken. TD Ameritrade also hired ID Analytics to monitor for potential identity theft.

The company also said that clients don’t have to do anything special other than monitoring their personal information.

Update:  TD Ameritrade is seeing heavy call volume over this issue. The log-in screen gives you the following message:

For more information regarding the recent communications about the SPAM investigations, please go to www.amtd.com. You’ll find our Frequently Asked Questions and see a message from our CEO, Joe Moglia. If you would like to discuss this with one of our representatives, please feel free to send us an email or give us a call. We are anticipating higher than normal call volumes, so you may experience longer than normal hold times.

Further comment from Michael Krigsman.