TD Ameritrade discovers database breach

TD Ameritrade discovers database breach

Summary: Online broker TD Ameritrade said Friday that it has discovered a database breach that compromised customer accounts. In a statement, TD Ameritrade said it "discovered and eliminated unauthorized code from its systems that allowed access to an internal database.

TOPICS: Software, Security

Online broker TD Ameritrade said Friday that it has discovered a database breach that compromised customer accounts.

In a statement, TD Ameritrade said it "discovered and eliminated unauthorized code from its systems that allowed access to an internal database." TD Ameritrade found the breach as it was investigating stock-related spam.

Disclosure: I have more than a passing interest in this since I'm a TD Ameritrade customer.

Here's what TD Ameritrade's analysis revealed:

  • Assets are safe since user IDs, personal identification numbers and passwords were kept in a separate database;
  • Email addresses, names, addresses and phone numbers were taken. This fact explains why TD Ameritrade was investigating a bunch of spam complaints;
  • Account numbers, date of birth and Social Security numbers were in the breached database but not taken.

CEO Joe Moglia apologized for the unwanted spam and said there was "no evidence" that sensitive data was taken. TD Ameritrade also hired ID Analytics to monitor for potential identity theft.

The company also said that clients don't have to do anything special other than monitoring their personal information.

Update:  TD Ameritrade is seeing heavy call volume over this issue. The log-in screen gives you the following message:

For more information regarding the recent communications about the SPAM investigations, please go to You'll find our Frequently Asked Questions and see a message from our CEO, Joe Moglia. If you would like to discuss this with one of our representatives, please feel free to send us an email or give us a call. We are anticipating higher than normal call volumes, so you may experience longer than normal hold times.

Further comment from Michael Krigsman.

Topics: Software, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • That's great

    That's great, I'd given them one of my "keeper" email addresses because I thought their site was secure. I wondered why I started getting so much spam on it. Now I know.

    Should I believe that, even though my SSN was in the same database, it wasn't compromised? They also indicated that [b]other personal data slipped out[/b], besides email addresses. So probably, my email address is know associated with my street address, name, and who knows what else?
    • Two Years Ago

      I USED to be an Ameritrade customer. Almost two years ago I had given them an email account that I used only with them. I started getting pump and dump spam on that account. I reported it to them. They denied any problems. A web search revealed that others were reporting the same issue. They had Ameritrade only email accounts that were getting spammed. Ameritrade continued to deny the problem.

      I wasn't going to do business with a company that refused to investigate a legitimate security concern so I closed my Ameritrade Account. I just can't risk my money with a company that has shoddy security.
  • Well that explains a lot (I'm a customer of theirs as well)

    I suddenly started getting pump-n-dump stock spam about two months ago on two different email accounts that I set up specifically for financial and stock info. TD Ameritrade had those addresses. I've since dumped the accounts and am using a separate email account just for correspondence with TD Ameritrade. It will be interesting to see if I start getting spam on my new email account. If so, there will be no doubt as to how the spammers got the address.
    • Explains a lot for me as well

      I had an email address for TD ameritrade exclusively-- created using Yahoo Mail's AddressGuard feature. Incredibly I started receiving spam on that email account. I never thought much about how the spammers might have gotten the email address. I actually figured they "accidentally" gave the e-mail addresses to a third-party marketer or something.

      Anyway, this explains a lot.
  • RE: TD Ameritrade discovers database breach

    TD Ameritrade should provide credit monitoring to each individual customer instead of telling them to monitor their personal information. Seems to me, as usual in these cases the buck is passed to the customer by TD Ameritrade.
  • RE: TD Ameritrade discovers database breach

    Larry: sorry to hear about the data breach which exposed your personal data. I know exactly how you feel. IBM lost my personal data earlier this year, and took 2+ months to notify me.

    TD Ameritrade's data breach highlights the fact that we consumers (and customers) can do everything correctly to protect our IDs, passwords, and personal data -- and still become an identity theft victim when a company has a data breach. The companies are quick to state the "there's no evidence..." line. Be alert and monitor your financial accounts, because YOU will probably be the first to discover $$ theft with your accounts or fraud in your name, not TD Ameritrade.

    I know this because I blog about my experiences dealing with the mess from IBM's data breach and related issues about corporate responsibility:

    At my blog, we've discussed a lot of issues you should be concerned about (including but not limited to):

    a) status and details of the data breach investigation (how exactly do they know that DOBs and SS#'s weren't taken? If you don't get a satisfactory answer, then YOU have to assume the worst and act accordingly to protect yourself)
    b) TD Ameritrade is required by law in 37 state to disclose the data breach. Know your rights. My blog has links to various online resources you should use, like the ID theft Resource Center and the Privacy Rights Clearinghouse
    c) what the best features are in any credit monitoring package (which TD Ameritrade should offer you since they created the risk to you). But they probably won't as long as they cling to the line "no evidence that sensitive data was taken"
    d) why a Fraud Alert on your credit reports (I stongly suggest this) probably is not enough security for you

    If I were you, I wouldn't be so quick to accept Ameritrade's statement at face value. Talk to them. Demand details about the data breach investigation. If you don't get satisfactory answers, move your accounts to another brokerage. I wish that I had that option with IBM. I didn't because IBM was a prior employer, and I didn't have a customer relationship with them.

    Good luck and let us know what happens!

    George Jenkins
  • They'd have already known if they listened to their customers...

    who called and complained that tagged addresses were being spammed for pump and dumps. I wasn't the only one who complained. They acted like any such breach was impossible. That was months ago.
  • RE: TD Ameritrade discovers database breach

    Trying to secure every data source out there containing personal information is futile. We need to overhaul the way business is done so that it takes more than a name, dob, and ss number to commit financial crimes. The first place to start is a national law that lets consumers freeze their credit files. A few states already permit this, but most states don't under pressure of financial firms, car dealerships, etc that rely on impulse buying (the customer might cool off while waiting for the freeze to be lifted temporarily). Unfortunately, we have useless politicians and leaders and a greedy business environment.