Bill Katz

My Brain

An occasionally updated repository of thoughts, past work, and links. Topics include programming, web ventures, and writing.

32 2006-07-29

TD Ameritrade data definitely compromised

In April 2005, Ameritrade reported that several tapes with customer information were lost. From an article on the incident:
The company discovered the loss in February when it received a damaged package containing a number of backup tapes shipped from its secure facilities in the U.S. Katrina Becker, an Ameritrade spokeswoman, said the shipping company caused the damage to the package. Ameritrade immediately launched an investigation and learned four tapes were missing, three of which were subsequently recovered at the shipper's facility. The fourth, containing personal information on customers who used the company's service between 2000 and 2003, hasn't been recovered, she said. "Those tapes were all found within the shipper's facility, which was also secure, so it is highly likely that the remaining tape was lost or destroyed within that facility, but we are still monitoring it," she said. "We do not believe foul play was involved."
A Google search will reveal many other articles stating how the lost tape was likely lost or destroyed. After the tape incident, Ameritrade notified me of the possible breach and I was given a year of an identity watch service. I was reassured by the comment that the tape was in "secure" areas, and my calculated odds that I wouldn't be one of the accounts on the missing tape. Well, I can now report that my data was compromised and found its way into the hands of stock tip spammers. I think the Ameritrade tape wasn't destroyed or lost. Here's my evidence. I've been getting spam stock tips for a while, but I recently noticed that similar spam was being sent to two very infrequently used accounts. The first compromised e-mail address was only used for my Datek trading account. (Datek went through mergers and eventually became part of TD Ameritrade.) The second spammed account was a personal address that only close friends & associates and secure financial institutions possessed. I don't recall getting spam in either account. Now, I get similar stock tip spam in both accounts. The spam consists of an image with stock spam text followed by nonsensical text. Spam in my Datek-only account is pretty much a smoking gun, but it's not the only evidence. When I get spam in one of my aliased accounts, I simply remove that alias and update the associated web site account. If the new e-mail gets spammed again, I stop doing business with the company. So I went to my TD Ameritrade account to change the datek-associated address and noticed that my secondary e-mail in their database was the second, personal e-mail address that was getting spammed. Pretty clear sign that the breach was at Ameritrade's end. None of my other accounts have the same combination of primary and secondary e-mail addresses. Considering the increased security at Ameritrade after the tape loss, I think the breach is most likely the missing tape. Update: Jason's comment (below) indicates that the data is currently being compromised. TD Ameritrade recently responded to my e-mail and said "several spam methods do not depend on using purchased or intercepted lists of existing or valid e-mail accounts. Spammers also use known 'brute forcing' or dictionary techniques." I don't know of spam techniques or dictionary attacks that work across unknown domains... that # of possible variations is too large and wouldn't target only Ameritrade customers. Other people have been getting spam. One victim filed a complaint with the BBB. Here's the response from Ameritrade:
We received correspondence from the Better Business Bureau about your Ameritrade account. I wanted to follow up with you about the Spam e-mails you received. I apologize for the delayed response and understand any frustration you may have experienced in this matter. Although we have been unable to determine the exact cause of the Spam, I wanted to inform you of what we do know. We thoroughly reviewed our systems and data sent to third parties with access to e-mail addresses and found no misuse or compromises of any of our systems or storage mediums for e-mail addresses. Additionally, after further review of our systems, there is no indication that your account information held with Ameritrade has been compromised. Please be assured that we regularly contract leading edge security firms to conduct network and application penetration tests to test the security of our network and web presence. We also employ a staff of full time employees solely dedicated to Information Security. At this time, we continue to work with the U.S. Securities and Exchange Commission to investigate this matter and the source of the Spam e-mails. Should further information become available, we will notify you of our findings. You may review our Privacy Statement at http://www.ameritrade.com/privacy.html and our Security Statement at http://www.ameritrade.com/tell_me_more/index.html... We would appreciate your continued support in this matter. Should you receive further Spam to the above referenced e-mail address we ask that you please print and forward the information as soon as possible to: Ameritrade Compliance Attn: Jeffrey Plummer P.O. Box 2148 Omaha, NE 68103-2148 I personally thank you for the opportunity to be of service in this matter. Sincerely, Jeffrey K. Plummer Client and Regulatory Relations Analyst Corporate Compliance Ameritrade, Division of Ameritrade, Inc. Member NASD/ SIPC
Sorry Jeffrey. But our data really was compromised. If all the security measures above are being done by Ameritrade, I think the most likely source of the data compromise is the missing tape. That tape found its way into bad hands. Now I have to escalate my safeguards against identity theft. Update 8/13/06 My new ameritrade e-mail account, switched from the old compromised account on Jul 31, hasn't been spammed yet. My secondary e-mail account is starting to get increasing numbers of stock spam with an image of text at the beginning followed by actual text (nonsense words). I've been contacted by several people who have only their ameritrade alias compromised out of large numbers of aliases. I'm not sure where the leak originated, but there's definitely been a leak. It's unlikely that they are tapping Ameritrade's e-mails, because my secondary e-mail address with Ameritrade isn't used for any official communications, yet it's been spammed heavily. Update 5/31/07 Uh oh, just got slashdotted :) One visitor left a possible lead to the leak. Feel free to comment over there.

Comments are closed

32 Comments

  1. It's even worse than you think by Jason (2006-07-31)

    I have two ameritrade accounts, one regular and one IRA. I have email from them going to two separate email accounts. No other website has those addresses. I get the same stock spam going to these accounts and not to my other hundred or so accounts. I thought maybe the cause was the lost tape so I changed the addresses they were going to a few weeks ago. This past week I started receiving the spam at the new addresses. Their current data has definitely been compromised.

  2. It's even worse than you think by Bill (2006-07-31)

    That's really bad. Can you give me your contact information (use my contact form on left)? We'll see if my new Ameritrade e-mail address starts getting spam as well.

  3. I too am receiving spam from Ameritrade by MitchV (2006-08-11)

    I have a separate account forr each company with whom I do business. I have received numerous spam emails directed towards my Ameritrade account recently. There is a *real* problem here.

  4. Ameritrade Spam by Anonymous (2006-08-14)

    I got 5 over this past week end. nonsense text and a GIF image with a great stock tip. Should I buy 1000 shares?

  5. I am getting 5 a day to both of my accounts by Jay Man (2006-08-16)

    Hello all, I am getting 5 emails a day to my mobile and ameritrade email account.. I just set the mobile account up 5 days prior to adding it to my ameritrade account. besides family, NO ONE else has this email... Ameritrade is screwing us. How can we start a class action law suit?

  6. We probably should be very by Anonymous (2006-08-17)

    We probably should be very concerned about the REST of our data--they have all of our social security numbers, etc. too. I called Ameritrade and they admitted they've heard about it already and that they would call me back if they figure something out...I hope all of the rest of you call too. They should be giving us free credit watch or something...at least.

  7. Me 6 by Anonymous (2006-08-18)

    I also use a dedicated email account on a private domain. I too am getting the spam. I think MSNBC should look into this and make it public knowledge. Jim Kramer would have a field day. I suggest we might want to sell our interests in Ameritrade and their security analysts. (That is an opinion and not a recommendation to buy or sell stock. )

  8. Another clue by Rob Moore (2006-08-26)

    I was just checking my ameritrade account and noticed the secondary email address I had entered is the only other place I get spam from the same penny-stock group. Seems very suspicious.

  9. Me too by Jack Cheng (2006-08-30)

    I signed up just two months ago, and I've been getting the same thing. I called them today and all they told me was that they don't give out customer info

  10. Ameritrade spam by AK (2006-08-30)

    Add one more with a tagged domain getting stock spam for ameritrade@mydomain. Ameritrade's "what me worry" response seems to be the standard answer for large corporations. A year ago I began getting spam to ual@mydomain, and ual2@mydomain (my wife's registration with United). I forwarded the ual spam to an increasing number of corporate flacks until one gave the "dictionary attack" answer. I then asked how come I'm registered at ual and ual2, and am getting spam at ual and ual2, but not ual3 or ual4, addresses which have never been registered? The response was that spammers are very clever. These guys lie like other people breathe.

  11. More complaints and evidence by Murry (2006-10-18)

    Just a little short background. I ran the largest privately owned ISP in Minnesota for years. I know what I'm talking about. I've been dismissed by people saying that my data was compromised in other ways. It's not true. One of two things happened, and I will bet everything I own on it. Either Ameritrade sold our information to someone else, or our information at Ameritrade was compromised by someone on the outside, or possibly on the inside. Like many others here, I have my own domain name. For the last 10 years, I've assigned a different email address for every merchant, vendor, or website that requires one. In the case of Ameritrade, I had three addresses setup. One for my personal account, one for my business, and one for my mother. Up until July 15th, 2006 I had never received spam at any of the three email addresses. After July 15th I began receiving spam to all three of them. I have tried contacting Ameritrade for more information. To date, I have received none. I'm not letting this slide. On principal it pisses me off to no end when I am treated like a moron by either morons or by people who intend to profit off of desception. If I don't get a straight up answer from Ameritrade soon, I will be doing as much as I have time for to expose the way they do business. I told them in my latest email it doesn't have to be this way, just tell me what happened and what they are doing to make sure it won't happen again and what they are going to do to punish those responsible. I highly doubt I will get a satisfactory answer. Murry

  12. Looks like someone on the inside by Anonymous (2006-11-12)

    It MUST be either an insider or an affiliate. I opened a brand new account at Ameritrade a few weeks ago. I was not a customer in 2005 (when the tape was lost). I got pump-and-dump spam last week (Nov 2006) on the unique address I gave only to Ameritrade. I hope they quickly do a thorough investigation of everyone with access to customer data. There's absolutely no question in my mind that the leak is from Ameritrade. This is really worrysome.

  13. Spammed with new address by Brett (2006-11-13)

    I posted earlier (Aug 17) that my old ameritrade address (in use for at least a year) was sent spam. I then created a new one. Today I received spam to it (and it contained a random number in it). Canceling my accounts now...interested in hearing their explanation.

  14. Me also by Steve (2006-08-19)

    Also getting regular spam at the address I use solely for Ameritrade. Email addresses are one thing, but if other personal data has gotten into the wrong hands they need to take this seriously.

  15. One more data point here. I by Jon Huang (2006-11-18)

    One more data point here. I also get spam only to my Ameritrade email.

  16. Me Too by Anonymous (2006-08-11)

    I've noticed today that my Ameritrade account email address, which I have only ever used for them and is NOT recorded on my computer is now getting stock tip spam. Although someone COULD have guessed I use Ameritrade@myDomain.com, I have a feeling that's probably extremely uncommon to use Ameritrade@ for an email address begining and that it would be not worthwhile for a company to test for this. Furthermore, I get emails addressed to any address at my domain and I am certainly not getting email spam from any other stock trade company--ie: I am not getting spam from datek@mydomain.com.

  17. Me too, too by Eric (2006-08-12)

    For the past couple of weeks I also have been getting a lot of spam sent to my ameritrade@mydomain email (which is only used with them) I think it's about time to move my account.

  18. Me three... by Anonymous (2006-08-12)

    Same thing. I complained in late June, and changed my contact information for my main account, but not (as it turned out) for my secondary. I got my first spam to the new email on July 28. Since Aug 10, I've gotten 30 pairs of spam messages. Every pair comes from a different source (presumably compromised PCs), but each message in a pair is from the same source. None of the hundred-odd other aliases in my domain have received these spams. Last time I complained, I asked for and received some free trades in compensation. I'm not sure I'll be satisfied with that this time. Email addresses *are* different from other account information, in that they regularly get sent out over unencrypted connections -- that's pretty much how SMTP (the email protocol) works. I wonder if someone's tapping their outgoing email somewhere upstream from them? Back to Google to find out who else is talking about this...

  19. Me four by Anonymous (2006-08-12)

    Found this page while googling for "ameritrade spam". I too have a dedicated "ameritrade@mydomain" e-mail account that began receiving spam for the first time ever on July 28. Time to cancel my account...

  20. AmeriSPAMed to DEATH by Ameri-Spammed (2006-08-17)

    AMERI-SPAMed to DEATH [ you know guys, the only way we know about this is each of ] [ us have used unique email addresses for TD Ameritrade ] I have been a customer of Ameritrade for a couple of years. When they were merged with TD Waterhouse, I stayed with them - despite, my mis-trust of TD Waterhouse. Recently, I have a lot of graphical spam sent to my email AMERITRADE@mydomain. I thought that their info had been hacked. I tried to obtain a phone number for the local office, I searched and searched, no luck. I tried to find an email address to forward the offending spam to TD Ameritrade, again no luck - seems they want to be able call, email or dump stuff on you - but not allow you to contact them except through their central phone facility. I called their 800 number, spoke with a rep - who admitted that there had been some problems. What I want to know is: * If they were hacked - WHY WASN'T AMERITRADE THE FIRST TO ADVISE ME. * After reading some of the other comments on this BLOG, I want to know if TD AMERITRADE has unclean hands concerning this SPAM issue and is making money because of it. The web site (especially the new one) makes excessive use of scripts, pop-ups and other irritating and potentially security compromising techniques. (Every extra browser feature is a security risk!) It looks nice, but is irritating to use. Poor selection of colors further results in a site that is more difficult to see. Personally, I use the "old site". To be fair , there were some things I liked about the "old site", the ability to display selected information, in my tabbed browser. I also found the real-time extended quote format quite useful. (Scottrade has similar features). I entrusted TD Ameritrade with my identity, email address, personal information, stock positions and cash. I expected them to tell me the truth as to if there had been a break-in or if they allowed my private data to be compromised.. THE EXCESSIVE SPAM HAS INJURED ME, on a dial-up, I simply do not have the bandwidth to get done all that I need to do. Additionally, this private email address is now unusable. What's worse I now believe, that they are profiting from this very activity that has hurt me. AT BEST IT IS DISRESPECTFUL AND DANGEROUS FOR ANY FINANCIAL INSTITUTION TO INADEQUATELY PROTECT ALL DATA REGARDING THEIR CUSTOMERS. IT IS FAR WORST IF THEY ARE DIRECTLY ABUSING THIS TRUST OR EVEN TURNING A BLIND EYE TO THE PRACTICE. I believe that TD Ameritrade does not have their customer best interest at heart, but rather TD Amneritrade’s short term interest at heart. WHAT CAN BE DONE - CLOSE YOU ACCOUNT WITH THEM WHAT CAN B E DONE- I AM CLOSING MINE. WHAT CAN BE DONE - COMPLAIN in writing to you senators, and the SEC. WHAT CAN BE DONE - If they are indeed are profiting from illegal WHAT CAN BE DONE - SPAM activity legal consequences must follow. WHAT CAN BE DONE - Tell other brokerage firms about this BLOG, WHAT CAN BE DONE - they are the ones with the most to lose from WHAT CAN BE DONE - unfair practices of other brokerages. WHAT CAN BE DONE - Tell you AMERI-SPAM stories. WHAT CAN BE DONE - write blogs, speak at investment clubs, tell others The only way to deter BAD BUSINESS PRACTICES is to make them unprofitable. If BAD BUSINESS PRACTICES are rewarded, they will not only continue, but spread to other firms. We must act no only to protect ourselves but in the greater good. BTW: I have been VERY WELL SERVED by two other online brokerage firms, Charles Schwab and Scottrade.com. I encourage you to check them both out. On the same theme, small banks and credit unions almost always treat thier customers much better than large banks, CHECK IT OUT! I favor a CLASS ACTION suit and would consider being a lead complainant, attorneys take note! For a shot time (until (I get spammed), interested parties my email me at “aaa-tmp-email0AM0SP6AM01" (at) “PGHSAVE.COM (just remove the quotes and replace “ (at) “ with the @ sign. -AmeriSpammed in Pennsylvania (LEGAL: The information contained in this post is strictly the opinion of the author no representation is made as to the reliability or truthfulness of information contained herein. Readers must determine the facts for themselves independent of this posting.) Who created http://www.AmeriSPAM.com/ wonder why?

  21. Me 5! by Brett (2006-08-17)

    I changed my email address with ameritrade after I started receiving spam, and included a random letter/number sequence number in it to remove the possibility of spammers guessing it. I will certainly report back if start getting spam on it. Please keep me updated if possible of any action against Ameritrade.

  22. Class Action Suit, anyone? by Steve (2006-08-15)

    Congratulations to Bill for getting your blog on the top of Google for "Ameritrade Spam". I suspect you will receive a lot more visitors now. :) The response of Ameritrade to the BBB is completely insulting. Their PR and customer service departments are obviously being told to stick their heads in the sand and hope it goes away. I own my own domain name, one that no dictionary technique could EVER guess. Furthermore, I set up an e-mail address that no "brute force" algorithm could POSSIBLY figure out, and that NO ONE in the world could possibly guess. I used that e-mail address NO place else except one time--when I signed up for my Ameritrade account. Today, I get DAILY spam on this address. It follows the same pattern as everyone said. A bunch of nonsense text (for everyone's information, this is a tactic that spammers use to get through and to sabotage heuristic spam-blocking filters), and then a "hot tip" in the form of a graphic (again, done this way to circumvent filters). It is obvious that one of two things are happening. 1) Ameritrade is selling our e-mail addresses to these scam artists who send thousands of e-mails out in illegal "pump and dump" schemes. 2) Ameritrade's database of our information has been compromised. There are no other possibilities. The scary thing is--if someone is hacking into their systems and stealing our e-mail addresses--what else are they able to steal? If any lawyer is reading this, I would be very happy to lend my testimony to a class action suit. It is solid proof that Ameritrade's response to Bill is a load of hogwash. I have two Ameritrade accounts, one opened years ago, one opened just a month or two ago. Both are getting spammed.

  23. Class action or news? by Jason (2006-08-17)

    I'm all for a class action suit, though it would be hard to prove damages. On the other hand, we don't know if other information leaked out too, like account numbers, ss#. I think this may be something the news media would be interested in. I am currently in the process of dealing with ameritrade and have forwarded them a number of headers from messages. We'll see if they do anything.

  24. Ameritrade may be in cohoots by Anonymous (2006-08-16)

    Have you noticed something? Ameritrade is not even acknowledging that there is a problem. To me this says one thing: they are benefitting from these spam e-mails, and are turning a blind eye. Think about it--tens of thousands of people get the e-mail. Out of this, maybe a few hundred may be gullible enough to purchase the stock. They get paid a commission for each purchase. If Ameritrade really cared about us as customers, they would send out an e-mail to all of their customers, warning them NOT to react to these e-mails. The only way the spam will go away is if the spammers stop making money from them. But since they're making money, they don't seem to be getting on their horse to fix anything. This is something the SEC should look into.

  25. No conspiracy theory needed by John F. (2006-09-25)

    Have you noticed something? Ameritrade is not even acknowledging that there is a problem. To me this says one thing: they are benefitting from these spam e-mails, and are turning a blind eye. When I started getting these spams, I immediately emptied both of my Ameritrade accounts and stopped trading, and won't refund the accounts (or trade) until this case is solved. If I'm not alone in my reaction, I don't think Ameritrade is benefiting from this spam. On average, people who fall for these pump and dump scams probably don't have a lot of money to trade, anyway (or won't for long). Even if they do make some money from the spam, I don't think Ameritrade would trade a little more income in the short term for a PR disaster. As for Ameitrade "not even acknowledging" the problem, I simpler explanation, I think, is that the front line of customer support has been uninformed (as is so often the case with the poor overworked grunts manning the phones). I had to drill through a couple of layers of management before I found someone who had some contacts in IT. That person knew about the spam issue, and freely acknowledged it.

  26. Two (or three) incidents by John F. (2006-09-25)

    Reviewing the reports here and elsewhere (plus my own experience), it looks like there were at least two incidents where a large number of customer accounts were misappropriated. One resulted in a spamming campaign that began on or shortly before October 31, 2005, and the second obtained more customer information in mid-2006, leading to a second round of spam starting on or shortly before July 28, 2006. The second incident clearly is unrelated to the missing tape, since it included many email addresses that were created months later (after the first round of spam). It's hard to know whether the October 2005 spam stemmed from the missing tape, but I'm inclined to guess that it didn't, partly because of the length of time (8 months) between the tape loss and the spam. The interval between the second security breach and the second round of spam was apparently at most "a couple of months", possibly much shorter; and partly because the spam starting July 2006 is evidence that someone has had access to the account data without having to rely on those tapes.

  27. inexcusable by Anonymous (2006-11-09)

    As an Ameritrade customer, I am outraged that they let my data leak like this. But I'm even more outraged that they are trying to bury the issue rather than admitting the breach. I gave them email addresses of the form [myname]_ameritrade_ira@[mydomain] and ameritrade_ira@[mydomain]. I only used those (obviously) for my IRA account at Ameritrade. The address had never received spam until July 5, 2006. I received 4 spams on that day, for a total of 36 in July. Then I received 199 in August, 137 in September, 231 in October, and and 76 during these first 9 days of November (9 so far today). I have all 679 of these emails saved if Ameritrade or a reporter wishes to see them. Ameritrade needs to fess up SOON and email ALL of their customers notifying them of this breach, or they will look even WORSE once reporters get wind of this.

  28. I am another person who had by Anonymous (2006-11-10)

    I am another person who had the email address I gave to Ameritrade suddenly hit with spam earlier this year. And, for the record, it wasn't ameritrade@ but a non-dictionarable minimally distributed address which started to get stock spams.

  29. another victim by Anonymous (2006-11-15)

    After reading this post, it hit me like a ton of bricks: my work e-mail address -- which I've only had since March of this year -- has in the past month or so started to receive the exact same stock pump & dump .gif-based spam that I get at my Gmail account. I just couldn't figure out how in the world they got that address; I never used it to sign up for any websites and it's only known to colleagues and clients, who are all professionals. But after reading this, I went to my Ameritrade settings, only to find that my work address is my secondary Ameritrade address, which jibes with what others have stated above. BOTH accounts are getting spammed with stock pump & dump garbage and only that kind of spam. So this is obviously a concerted, targeted effort that likely involves an insider at Ameritrade -- FBI, anyone?

  30. Spam from Ameritrade by Jay (2006-11-16)

    As a matter of policy I give a new email address to every company I deal with. A few days ago I started getting spam to the email address I gave to ameritrade. Nasty stuff too, stock trading scams, etc. I contacted them via email a didn't get a response. It looks to me like their email database has been compromised. :-( -Jay

  31. I use dedicated email by Anonymous (2006-11-16)

    I use dedicated email aliases for each of the companies I deal with, specifically for with the goal of identifying spammers. Both my datek@[modomain].com and ameritrade@[mydomain].com receive a lot more spam then lets say fidelity@[mydomain].com. I noticed that the spam to those aliases increased significantly AFTER I closed two of my Ameritrade accounts. (One was dated back to the Datek days).

  32. Same here. I too run my own by Anonymous (2007-02-21)

    Same here. I too run my own domain, and have similar policy for addresses I provide when asked. In my case, I actually provide a slightly more 'dictionary-proof' address, such as asfdasdf-ameritrade@domain.com. Dictionary attacks won't bother to attack that deep in entropy, and my mail server has anti-dictionary attack provisions anyway. It implements a forced response slowdown, based on source IP after X wrong address attempts. It also does not support the SMTP VRFY command, which stops spammers from compiling 'known-good' lists. So, I can say with the utmost of certainty that when I received Pump & Dump Stock Spam to this address, the only possible source is that Ameritrade was compromised. What's worse, I never actually had an open account with them! I had inquired on the website once when I was considering opening an account, but I never actually did. This screams of either an actual network compromise, or an insider. SIde Note: Shouldn't there be some sort of moderator element to this blog if it is going to allow anonymous posting? There is blog-spam all through this page, and it would appear that the owner doesn't care. What's that about?

Categories

App Engine (4)
Business & Investing (21)
Computers (26)
Creative Arts (10)
E-Business (14)
Family (3)
Movies and Videos (3)
PHP (5)
Personal (18)
Research Topics (5)
Ruby & Rails (12)
Software (26)
Writing (3)

About

Programmer, entrepreneur, writer

Some of my work

Relatively recent software and writing

Subscribe

Stay updated on my meandering thoughts & activities via Atom syndication.