Ameritrade and unauthorized code

Discussion in 'Retail Brokers' started by SideShowBob, Sep 14, 2007.

  1. Just got this in my email this morning. I don't even have an account there anymore. Nice to know that my personal information is not secure even at brokers I no longer use.

    And what does "we recently discovered and eliminated unauthorized code from our systems" mean? A hacker broke in and put a monitoring tool on their servers? Or an inside job?


    September 14, 2007

    You do not need to make any changes to your TD AMERITRADE accounts or to change the way you do business with us.

    Dear Ameritrade customer,

    Let me tell you why I am sending you this email. While investigating client reports about the industry-wide issue of investment-related SPAM, we recently discovered and eliminated unauthorized code from our systems. This code allowed certain client information stored in one of our databases, including email addresses, to be retrieved by an external source.

    Please be assured that UserIDs and passwords are not included in this database, and we can confirm that your assets remain secure at TD AMERITRADE.

    What we want you to know:
    Once we discovered the unauthorized code, we took immediate action to eliminate it. We are confident that we have identified the means by which the information was accessed and have taken appropriate steps to prevent this from reoccurring.
    You continue to be covered by our Asset Protection Guarantee, which protects you and your assets from any unauthorized activity that may occur in your account through no fault of your own. If you lose cash or securities as a result of such activity, we will reimburse you for the cash or shares of securities you lost.
    While Social Security Numbers are stored in this particular database, we have no evidence to establish that they were retrieved or used to commit identity theft. To further protect you, we have hired ID Analytics, which specializes in identity risk, to investigate and monitor potential identity theft. ID Analytics provides identity risk services to many of the country's largest banks and telecommunication companies, as well as government agencies. Following its initial evaluation, ID Analytics found no evidence of identity theft as a result of this data breach. We will retain its services on an ongoing basis to support your TD AMERITRADE accounts and to monitor for evidence of identity theft. We will alert and advise you if any is found. As always, we encourage you to remain alert in guarding your personal information, regularly review your account statements and monitor your credit activity from the major reporting agencies.

    For more information on protecting yourself against the possibility of security threats, please visit our online Security Center.

    We sincerely apologize to you for this situation and want to assure you that protecting the security and privacy of your assets and information remains a top priority. We have made and will continue to make significant investments in security software, systems and procedures, and we will remain vigilant about protecting you.

    We want to answer any questions and address any concerns that you may have about this matter. For more information, including a list of Frequently Asked Questions (FAQs) and an additional message from me, please go to or contact Client Services. Please note that we are anticipating increased call volume during this period, which may lead to long wait times. We encourage you to review the FAQs and, if you have a question, to log on to your account and send us a secure email. Once again, please be assured that your assets are secure at TD AMERITRADE.


    Joe Moglia
  2. GTC


  3. gaj


    here's what happened to me - and i'm assuming this is what was talked about in the press release; i contacted AMTD about this almost a year ago, then 6 months ago, and a techie admitted part of the problem.

    ok...i have an account created, and tagged, so that it is ONLY used on ameritrade's site. i've never used it for anything else. somehow, that address started getting stock spam about a year ago (i think november of '06?).

    fine, i contact AMTD, but also, i change it (within their system) to another address that is highly unlikely to be guessed or joed (for techies). about 3 months later, i start receiving stock spam to that email address. needless to say, i was ticked.

    called AMTD, finally was able to talk with a techie and explained why i was upset (address ONLY given to AMTD), and at the time, they were at a loss as to exactly how it was going out.
  4. BillCh



    This is not only about spam, this is a serious problem which they are trying to down play! They also gave away our account number(s), date od birth and SSN!!

    As the hacker(s) had access to the data base containing that info, it is more of a provocation to read from Ameritrade:

    "-- While more sensitive information like account numbers, date of birth and Social Security Numbers is stored in this database, there is no evidence that it was taken."

    Of course, a hacker who manages to get access to all that data will just copy email accounts, but leave the other data on the server. Like he makes his action way more complicated and installs a filter to only read email account information while stealing/downloading data, because he is a nice identity thief who only wants to send some spam emails. If he/she is in, he/she takes all he/she gets!

    Maybe not used yet, but our SSNs are out there, nicely packaged with our date of birth etc.

    I am an APEX customer there, and I will withdraw all my money as I speak. I also will take further action if any consequences based on that identity theft have or will arise from that security leak at Ameritrade!
  5. The data on Ameritrade's servers may have been vulnerable for an extended period of time dating back at least to last October, according to the lawsuit filed by lawyer Scott A. Kamber. The company said Friday the problem had recently been fixed.

    The plaintiffs in the lawsuit had wanted the court to order Ameritrade to tell its customers about the data problem, but Ameritrade issued its release before a hearing could be held. The plaintiffs are also seeking damages and are trying to qualify as a class-action lawsuit.

    "They preferred putting out a press release with their own language in it rather than have the court order them to put out a release with our language," Kamber said.
  6. No one is happy about this, but do you really imagine that any of your information is really secure?

    All it takes is one $10 an hour employee at any place you give your information to, and poof, you are owned by Boris.