Home / Blogs

Ameritrade Leaks User Information Yet Again, Blames Hacker X

Edward Falk

OK, you know things are getting bad when Ameritrade leaks its customer information yet again, and I don't even bother to report it because it's not news anymore.

Well, recent updates to the story have prompted me to correct that omission. Yes, it happened again. Roughly a month ago, correspondents began to receive pump-n-dump spam to tagged email addresses which they had given only to Ameritrade.

I've reported on this issue before, once in July 2006, and again in April 2007. This now marks the third major confirmed leak of customer information from Ameritrade. In addition, the Inquirer reported the loss of 200,000 Ameritrade client files in February 2005. One correspondent informs me that this has happened to him on four or five previous occasions.

There is no indication that the selling of customer information to spammers is official Ameritrade policy. Previously, speculation had centered on theft by rogue email service providers contracted by Ameritrade, or on the possibility of theft by an Ameritrade insider.

Normally, Ameritrade responds to these incidents with their standard bug letter, apologising for the leak and assuring the customer that it was a terrible aberration, etc, etc, etc.

This time, however, they've just issued a press release blaming the problem on Hacker X. Or more precisely, on "unauthorized code" in their systems. Was this the work of Hacker X targeting and penetrating their system, or just some random fool at Ameritrade clicking on the wrong thing with the wrong browser and installing spyware by accident. At any rate, information on 6.3 million customers was stolen.

Of course, Ameritrade assures the public that no ids, passwords, social security numbers or other sensitive information were lost. In other words, they're only admitting to what they were actually busted for.

We, of course, are asked to believe that having successfully breached Ameritrade's security, the crackers took only email addresses, leaving the rest behind:

"While more sensitive information like account numbers, date of birth and Social Security Numbers is stored in this database, there is no evidence that it was taken."

John Levine (website) informs me that he's also had three email addresses leaked from TD Waterhouse. One dates back before the merger with Ameritrade, one from shortly after the merger, and the third about a month ago. Quoting: "This gives me no confidence that the leak they found is the only one."

More coverage on this issue can be found at Agave Mountain, Computerworld, Dark Reading, Intellectual Intercourse, SC Magazine, and many others. Dark Reading points out that Ameritrade is not forthcoming on the details of the spyware used, preferring to wait until the investigation is complete. SC Magazine (quoting Phil Neray, vice president of marketing at Guardium) speculates that it was an inside job, arguing that only an insider with administrative access could have installed the spyware.

Perhaps my favorite quote is from Intellectual Intercourse, which writes:

"Hacker X is a busy, busy hacker. But we expect from someone who has been around for ten years now. Earlier this year, e360 Insight, LLC (a/k/a, e360insight.com, a/k/a e360data.com), asserted that Hacker X had visited them. That's two in less than 6 months, and we're not done with the year yet."

Stock spamming is big business these days. The site listguy.com openly advertises their pump-n-dump services and boasts that they have copies of email lists from Market Watch, E-Trade, and Scottrade (but not Ameritrade). I have even received pump-n-dump brochures via snail-mail on more than on occasion.

Given the scope of the problem and the amount of money involved, I can easily believe that Ameritrade has someone on the inside willing to sell email addresses to the highest bidder.

By Edward Falk, Computer professional. More blog posts from Edward Falk can also be read here.

Related topics: Security, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Re: Ameritrade Leaks User Information Yet Again, Blames Hacker X Matthew Elvey  –  Sep 24, 2007 5:04 PM PDT

"pump-n-dump spam to tagged email addresses ... given only to Ameritrade" was news in '05.  Yeah, I was just rereading a John Levine nanae post about spam traceable to Ameritrade which shows they knew about the problem in '05. 

Ameritrade finally admitted to it last Friday in an announcement that was covered in hundreds of articles, according to a google news search, and it indicates that the breach has been ongoing since then; infiltrators had ONGOING access to a databases containing the SSNs of their 6 million customers for about 18 months.

FYI, this announcement is the result of my research and exposure of the hack and follow-up lawsuit against TD Ameritrade.  They announced it now because a judge probably would have otherwise forced them to last week.

Now I'm nailing down exactly what to seek in my settlement negotiations as the class representative.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Why Managed DNS Means Secure DNS

Rodney Joffe on Why DNS Has Become a Favorite Attack Vector

Motivated to Solve Problems at Verisign

Diversity, Openness and vBSDcon 2013

Sponsored Topics