TD Ameritrade Knew About Data Breach Since May

TD Ameritrade recently disclosed a security breach that revealed its customers email and home addresses as well as information about their account activity. Now it seems that the company knew about the data breach back in May—because its customers sued to stop it. From the AP:

Ameritrade has known about the problem at least since late May when two of its customers sued the brokerage in federal court because they were receiving unwanted e-mail ads on accounts used only for Ameritrade.

The data on Ameritrade’s servers may have been vulnerable for an extended period of time dating back at least to last October, according to the lawsuit filed by lawyer Scott A. Kamber. The company said Friday the problem had recently been fixed.

The plaintiffs in the lawsuit had wanted the court to order Ameritrade to tell its customers about the data problem, but Ameritrade issued its release before a hearing could be held. The plaintiffs are also seeking damages and are trying to qualify as a class-action lawsuit.

“They preferred putting out a press release with their own language in it rather than have the court order them to put out a release with our language,” Kamber said.

Ameritrade officials did not immediately respond to a message left Friday afternoon with questions about the lawsuit.

Earlier in the day, Ameritrade spokeswoman Kim Hillyer said the company discovered the breach in its system during a routine review of complaints about e-mail ads.

“As soon as we found the issue and were able to stop it, we made plans to notify clients,” Hillyer said.

Ameritrade’s “routine review” apparently sort of sucks because BoingBoing knew about the data breach back in June. From BoingBoing (June 4, 2007):

“On April 14, 2007, I signed up for an AmeriTrade account using an e-mail address consisting of 16 random alphanumeric characters, which I never gave to anyone else. On May 15, I started receiving pump-and-dump stock spams sent to that e-mail address.

I was hardly the first person to discover that this happens. Almost all of the top hits in a Google search for “ameritrade spam” (search without the quotes) are from people with the same story: they used a unique address for each service that they sign up with, so they could tell if any company ever leaked their address to a spammer, and the address they gave to AmeriTrade started getting stock spam. “

TD Ameritrade says contact info stolen [Yahoo!]
Is AmeriTrade tied to pump-and-dump stock scams? [BoingBoing]

PREVIOUSLY: TD Ameritrade Hacked, Customer Data Compromised