Sep 17 2007
The online stock trading and investment company TD Ameritrade announced this morning that a database server holding contact information for approximately 6.3 million customers was cracked and copied by agents unknown. They're saying that the Social Security and account numbers in the database weren't copied, but it sounds kind of odd that crackers would only take names, addresses, and e-mail addresses and leave the good stuff behind. Because the FBI, SEC (Securities Exchange Commission), and FIRA (FInancial Industry Regulatory Authority) are involved they're not allowed to release any more information pertinent to the case. The compromise appears to have taken place sometime in May of 2007 because that's when some of their users filed lawsuits against Ameritrade in US federal court because e-mail addresses they used only for the site started receiving spam.
Yeah. If anyone else tried suing the sources of spam, they'd be ignored.
Anyway, an internal investigation began to determine how those e-mail accounts wound up in the hands of spammers, and they found that a database server was reachable from the public Net (my guess is that someone was manipulating the SQL code in a web application or two with an injection attack). Someone put two and two together and at the count of four called in law enforcement. As it turns out, the spam was part of a pump and dump scam to crank up the price of a two-bit company's stock so that it could then be sold at a hefty profit. Ameritrade has gone on the record stating that they don't think that identity theft was perpetrated, but just to be on the safe side they've called in ID Analytics, Inc. to keep an eye on the credit profiles of all of the Ameritrade customers whose information was copied out of the database.