TD Ameritrade Knew About Data Breach Since May

TD Ameritrade recently disclosed a security breach that revealed its customers email and home addresses as well as information about their account activity. Now it seems that the company knew about the data breach back in May—because its customers sued to stop it. From the AP:

Ameritrade has known about the problem at least since late May when two of its customers sued the brokerage in federal court because they were receiving unwanted e-mail ads on accounts used only for Ameritrade.

The data on Ameritrade’s servers may have been vulnerable for an extended period of time dating back at least to last October, according to the lawsuit filed by lawyer Scott A. Kamber. The company said Friday the problem had recently been fixed.

The plaintiffs in the lawsuit had wanted the court to order Ameritrade to tell its customers about the data problem, but Ameritrade issued its release before a hearing could be held. The plaintiffs are also seeking damages and are trying to qualify as a class-action lawsuit.

“They preferred putting out a press release with their own language in it rather than have the court order them to put out a release with our language,” Kamber said.

Ameritrade officials did not immediately respond to a message left Friday afternoon with questions about the lawsuit.

Earlier in the day, Ameritrade spokeswoman Kim Hillyer said the company discovered the breach in its system during a routine review of complaints about e-mail ads.

“As soon as we found the issue and were able to stop it, we made plans to notify clients,” Hillyer said.

Ameritrade’s “routine review” apparently sort of sucks because BoingBoing knew about the data breach back in June. From BoingBoing (June 4, 2007):

“On April 14, 2007, I signed up for an AmeriTrade account using an e-mail address consisting of 16 random alphanumeric characters, which I never gave to anyone else. On May 15, I started receiving pump-and-dump stock spams sent to that e-mail address.

I was hardly the first person to discover that this happens. Almost all of the top hits in a Google search for “ameritrade spam” (search without the quotes) are from people with the same story: they used a unique address for each service that they sign up with, so they could tell if any company ever leaked their address to a spammer, and the address they gave to AmeriTrade started getting stock spam. “

TD Ameritrade says contact info stolen [Yahoo!]
Is AmeriTrade tied to pump-and-dump stock scams? [BoingBoing]

PREVIOUSLY: TD Ameritrade Hacked, Customer Data Compromised


Edit Your Comment

  1. Jebus. It is going to be such a pain in the arse for me to move my account to another company.. but I guess that is just what I am going to have to do. Thanks for making my day to day life that little bit more difficult and unpleasant TD Ameritrade!

  2. jeffl says:

    This has been going on for a long time. The first spam I received to my Ameritrade address, back when it was Datek, was in November 2005, then another in December 2005, and not again to that address until December 2006. That might have been a different incident than the current one, but still, it was spam to an e-mail address used only from Datek.

    In July 2006 I received my first spam to an e-mail address I’ve only given Ameritrade, which is different from the Datek address I had been using. In August 2006 I reported the problem to Ameritrade and the SEC.

    The SEC seemed to take my report seriously, and sent me a letter requesting I e-mail them all of the spam I’ve received. I sent the information to them, and never heard back, but I didn’t expect to.

    I was contacted about joining the class action suit, but I’m in a state where part of my agreement with Ameritrade was binding arbitration, so I’m not eligible to join the suit

  3. netbuzz says:

    Since May? No, make that since January 2006. An IT security pro warned Ameritrade at that time that customer info — including his — had been compromised in some manner. Details here:


  4. drrictus says:

    Actually, moving your account from TD won’t save your information from hackers. TD told me, a *former* account holder, that they are “required by federal law” to hold all your information for 6 years.
    So, blame the SEC for creating such a “target rich environment”, though there are good reasons for this.