[ISN] TD Ameritrade's 6 million customers hit with security breach

From: InfoSec News (alerts@private)
Date: Fri Sep 14 2007 - 22:04:23 PDT


By Dawn Kawamoto 
September 14, 2007

Online trading company TD Ameritrade alerted more than 6 million 
customers Friday that a security breach occurred with its client 
information database.

The database contained such sensitive information as clients' names, 
Social Security numbers, dates of birth, addresses, phone numbers and 
trading activity.

Ameritrade, however, stressed that it has no evidence that Social 
Security numbers and client demographics, such as birth dates and 
trading activity information, were retrieved or used to commit identity 
theft. The company also notes that Ameritrade's user log-ins and 
passwords were not part of the database.

The discovery was made a couple of weeks ago, when the online broker 
learned that investment-related spam had infiltrated the brokers' 
system. The malicious code allowed a hacker to access some of the 
information stored in the database.

A TD Ameritrade spokeswoman declined to give further details of the 
security breach, noting that the investigation is still ongoing.

But one security expert said it could have happened one of two ways.

"There are only two different ways this could have happened. There was 
either a vulnerability with their Web site and it was hacked, or someone 
internally gained access with a Trojan horse," said Graham Cluley, 
senior technology consultant at Sophos.

He warned that Ameritrade clients should be on the lookout for phishing 
attempts, which try to steal users' log-ins and passwords by lulling 
them into believing the e-mail is being sent by the online broker.

Hackers may also try to use the information to run a pump-and-dump 
scheme, in which certain stocks are touted to clients, driving up the 
stock price before the attackers dump the stock.

Ameritrade said it hired ID Analytics to conduct a forensics test to 
ascertain what information, if any, has been compromised. It has also 
posted more information on its Web site.

CSI 2007 is the only conference and exhibition that delivers a business
focused overview of enterprise security. It will convene 1,500+ delegates, 
80 exhibitors and features 100+ sessions providing a roadmap for integrating 
policies and procedures with new tools and techniques. Eleven topic themes 
cover everything from awareness to compliance & risk to wireless, and focus 
on the management and strategic issues crucial to developing a comprehensive 
organization protection program. CSI 2007 is the must-attend event for today's 
security professionals who want to keep current with solutions and meet the 
security challenges of 2008. Register now for savings on conference fees 
and/or free exhibits admission.   www.csiannual.com

This archive was generated by hypermail 2.1.3 : Fri Sep 14 2007 - 22:28:18 PDT