Saturday, September 15, 2007

Another 6.3 million people's information stolen at Ameritrade

According to the AP, Ameritrade is reporting that someone hacked into their systems and made off with 6.3 million people's information:
Online brokerage TD Ameritrade Holding Corp. said Friday one of its databases was hacked and contact information for its more than 6.3 million customers was stolen. A spokeswoman for the Omaha-based company said more sensitive information in the same database, including Social Security numbers and account numbers, does not appear to have been taken.

The company would not share many details of its investigation, including when the hack took place, because it is still looking into the theft and cooperating with investigators from the FBI, Securities and Exchange Commission, Financial Industry Regulatory Authority and local authorities.
Allegedly, Ameritrade has known about this for awhile and it might have been the threat of legal action, which prompted them to come forward now:

But Ameritrade has known about the problem at least since late May when two of its customers sued the brokerage in federal court because they were receiving unwanted e-mail ads on accounts used only for Ameritrade.

The data on Ameritrade's servers may have been vulnerable for an extended period of time dating back at least to last October, according to the lawsuit filed by lawyer Scott A. Kamber. The company said Friday the problem had recently been fixed.

The plaintiffs in the lawsuit had wanted the court to order Ameritrade to tell its customers about the data problem, but Ameritrade issued its release before a hearing could be held. The plaintiffs are also seeking damages and are trying to qualify as a class-action lawsuit.

"They preferred putting out a press release with their own language in it rather than have the court order them to put out a release with our language," Kamber said.
While maintaining confidentiality in an investigation is sometimes necessary, you would think that someone might want to warn the 6.3 million people, who were affected by this?

They might want to start monitoring their finances, carefully.

In addition to this, the stated need for confidentiality is coming from Ameritrade and not a law enforcement source involved in the investigation. The claim that a federal hearing might have forced disclosure might make some wonder about the credibility of what is being said, also.

The verbiage used in the Ameritrade press release states that social security numbers don't "appear" to have been taken is a little scary, also. Does this mean that they aren't sure?

Why would a hacker only take contact information, when social security and dates of birth were available in the same database, also?

My guess is that dates of birth and social security numbers would make the information more valuable to the hackers, who compromised the system.

The press release does state that account numbers and passwords were in a different database, and were not compromised.

Security and identity theft experts are speculating that the information taken could be used to phish for additional information, which then could be to commit identity theft. Phishing is where an e-mail from an official looking, but spoofed (impersonated) source tricks someone into giving up sensitive information.

Tricking people into giving up their information is also known as, social engineering.

Crimeware might also be used to steal the additional information. Once downloaded crimeware, steals information from a system automatically, normally using keylogging software. Crimeware can be picked up by clicking on the link of a phishy e-mail.

According to the Anti-Phishing Working Group, who studies this carefully has reported crimeware use is on the rise. One of the reasons for the rise in crimeware is that DIY (do-it-yourself) kits are being sold on the black market. This allows less sophisticated criminals to get into the game.

The CNet version of the story, quotes Graham Cluley (Sophos) as speculating how Ameritrade's system was probably compromised:
"There are only two different ways this could have happened. There was either a vulnerability with their Web site and it was hacked, or someone internally gained access with a Trojan horse."
Ameritrade has hired ID Analytics, Inc. to monitor what is going on and determine if any identity theft occurs out of all of this.

They are also providing additional information on their site about this unfortunate event for their customers.

The TJX data breach, which compromised over 45 million people, has caused a lot of uproar about how data breaches should be handled and who should pay for them.

Class action law suits are being brought forth and legislation is being introduced to determine, who pays for all the damage, when a data breach occurs.

This is becoming extremely costly for the companies being breached. The last report I saw about the cost incurred so far by TJX is $256 million. The sad thing is that I doubt this is the final figure.

Legislation in California is awaiting Arnold Schwarzenegger's signature, which will require retailers to reimburse financial institutions for the cost of fixing breached financial data. Interestingly enough -- in this data breach and the last major one, I've written about (Certegy) -- the data was not stolen from a retailer.

The Privacy Rights Clearinghouse, PogoWasRight and Attrition.org all compile information on data breaches, which happen so frequently, they are becoming almost "too routine" news events.

If anyone, who was has been affected by a data breach wants independent advice on what to do if you become an identity theft victim, the Privacy Rights Clearinghouse has a very informative page about this, here.

AP story by Josh Funk, here.

1 comment:

Tina Boyer said...

It is time someone got a grip on this issue, whether law enforcement authorities, the financial industry itself, or some watchdog group. Amy