CircleID

OK, you know things are getting bad when Ameritrade leaks its customer information yet again, and I don't even bother to report it because it's not news anymore.

Well, recent updates to the story have prompted me to correct that omission. Yes, it happened again. Roughly a month ago, correspondents began to receive pump-n-dump spam to tagged email addresses which they had given only to Ameritrade.

I've reported on this issue before, once in July 2006, and again in April 2007. This now marks the third major confirmed leak of customer information from Ameritrade. In addition, the Inquirer reported the loss of 200,000 Ameritrade client files in February 2005. One correspondent informs me that this has happened to him on four or five previous occasions.

There is no indication that the selling of customer information to spammers is official Ameritrade policy. Previously, speculation had centered on theft by rogue email service providers contracted by Ameritrade, or on the possibility of theft by an Ameritrade insider.

Normally, Ameritrade responds to these incidents with their standard bug letter, apologising for the leak and assuring the customer that it was a terrible aberration, etc, etc, etc.

This time, however, they've just issued a press release blaming the problem on Hacker X. Or more precisely, on "unauthorized code" in their systems. Was this the work of Hacker X targeting and penetrating their system, or just some random fool at Ameritrade clicking on the wrong thing with the wrong browser and installing spyware by accident. At any rate, information on 6.3 million customers was stolen.

Of course, Ameritrade assures the public that no ids, passwords, social security numbers or other sensitive information were lost. In other words, they're only admitting to what they were actually busted for.

We, of course, are asked to believe that having successfully breached Ameritrade's security, the crackers took only email addresses, leaving the rest behind:

"While more sensitive information like account numbers, date of birth and Social Security Numbers is stored in this database, there is no evidence that it was taken."

John Levine (website) informs me that he's also had three email addresses leaked from TD Waterhouse. One dates back before the merger with Ameritrade, one from shortly after the merger, and the third about a month ago. Quoting: "This gives me no confidence that the leak they found is the only one."

More coverage on this issue can be found at Agave Mountain, Computerworld, Dark Reading, Intellectual Intercourse, SC Magazine, and many others. Dark Reading points out that Ameritrade is not forthcoming on the details of the spyware used, preferring to wait until the investigation is complete. SC Magazine (quoting Phil Neray, vice president of marketing at Guardium) speculates that it was an inside job, arguing that only an insider with administrative access could have installed the spyware.

Perhaps my favorite quote is from Intellectual Intercourse, which writes:

"Hacker X is a busy, busy hacker. But we expect from someone who has been around for ten years now. Earlier this year, e360 Insight, LLC (a/k/a, e360insight.com, a/k/a e360data.com), asserted that Hacker X had visited them. That's two in less than 6 months, and we're not done with the year yet."

Stock spamming is big business these days. The site listguy.com openly advertises their pump-n-dump services and boasts that they have copies of email lists from Market Watch, E-Trade, and Scottrade (but not Ameritrade). I have even received pump-n-dump brochures via snail-mail on more than on occasion.

Given the scope of the problem and the amount of money involved, I can easily believe that Ameritrade has someone on the inside willing to sell email addresses to the highest bidder.

By Edward Falk, Computer professional. Visit the blog maintained by Edward Falk here.

Related topics: Security, Spam