[SIG-IDtheft] Ameritrade hacked....more than 6 million affected

Sat Sep 15 14:23:36 PDT 2007

Seems IDTheft isn't a matter of "if" but "when"....

 http://news.yahoo.com/s/ap/20070914/ap_on_bi_ge/broker_data_theft_3

By JOSH FUNK, AP Business Writer Fri Sep 14, 6:59 PM ET

OMAHA, Neb. - Online brokerage TD Ameritrade Holding Corp. said Friday one
of its databases was hacked and contact information for its more than
6.3million customers was stolen. A spokeswoman for the
Omaha-based company said more sensitive information in the same database,
including Social Security numbers and account numbers, does not appear to
have been taken.

The company would not share many details of its investigation, including
when the hack took place, because it is still looking into the theft and
cooperating with investigators from the FBI, Securities and Exchange
Commission, Financial Industry Regulatory Authority and local authorities.

But Ameritrade has known about the problem at least since late May when two
of its customers sued the brokerage in federal court because they were
receiving unwanted e-mail ads on accounts used only for Ameritrade.

The data on Ameritrade's servers may have been vulnerable for an extended
period of time dating back at least to last October, according to the
lawsuit filed by lawyer Scott A. Kamber. The company said Friday the problem
had recently been fixed.

The plaintiffs in the lawsuit had wanted the court to order Ameritrade to
tell its customers about the data problem, but Ameritrade issued its release
before a hearing could be held. The plaintiffs are also seeking damages and
are trying to qualify as a class-action lawsuit.

"They preferred putting out a press release with their own language in it
rather than have the court order them to put out a release with our
language," Kamber said.

Ameritrade officials did not immediately respond to a message left Friday
afternoon with questions about the lawsuit.

Earlier in the day, Ameritrade spokeswoman Kim Hillyer said the company
discovered the breach in its system during a routine review of complaints
about e-mail ads.

"As soon as we found the issue and were able to stop it, we made plans to
notify clients," Hillyer said.

The plaintiffs in the lawsuit say all the unwanted e-mail ads they received
appeared to be designed to manipulate the value of thinly traded stocks.

This breach is smaller than the biggest known data breach at a company,
which was the theft of at least 45 million credit card numbers of TJX Cos.
retail customers that was reported earlier this year. But the Ameritrade
problem is still significantly larger than many data breaches that involve
hundreds or thousands but not millions of records.

Ameritrade spokeswoman Katrina Becker said there is no evidence that any
customer suffered financial losses or had been a victim of identity theft.

Becker would not say why the company was confident Social Security numbers
had not been taken even though they were kept in the same database as
customer contact information, trading data and demographic information.

Other Ameritrade databases where information such as passwords, user IDs and
personal identification numbers are kept were not violated, the company
said.

Ameritrade hired ID Analytics Inc., which has expertise in identity theft,
to help with the investigation, and it plans to continue using the company
to monitor its servers for potential identity theft.

ID Analytics will continue checking Ameritrade customer data against other
databases to watch for identity theft because it could emerge later, said
Mike Cook, chief operating officer for the San Diego company.

"Just because a breached file is not misused today, it doesn't mean that it
won't be misused in the future," Cook said.

If all the thieves obtained was basic contact information, Cook said that
might not be enough to steal an identity and apply for credit in another
person's name. But he said the thieves might try to obtain additional
information from a victim by posing as a legitimate business in an e-mail.

Ameritrade started notifying its customers about the data theft Friday, and
the brokerage posted information about it on its Web site.

"While the financial assets our clients hold with us were never touched, and
there is no evidence that our clients' Social Security Numbers were taken,
we understand that this issue has increased unwanted SPAM, which is annoying
and inconvenient for them," Chief Executive Joe Moglia said in a statement.
"We sincerely apologize for that and any added concern this may have
caused."

Ameritrade is telling customers they don't need to do anything with their
accounts except "remain alert in guarding their personal information." The
company's asset-protection guarantee would cover any losses in Ameritrade
accounts because of identity theft or fraud.

Ameritrade said it is confident that it identified how the information was
stolen and has changed its computer code enough to prevent the theft from
recurring. It said any new client who opened an account after July 18 was
not affected.

Hillyer said the company's investigation was able to determine that the
database had not been hacked after July 18.

Ameritrade's 6.34 million accounts as of July make it one of the nation's
biggest discount brokers after leader Charles Schwab Corp., which has
6.9million brokerage accounts.

-- 
Britta Glade
Liberty Alliance
925-254-4233
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20070915/960029e7/attachment.html 