In a Special Client Announcement designed to attract as little media attention as possible, TD Ameritrade has admitted that six million customer records have been breached by spammers and other evildoers of the black hat persuasion.
On the Ameritrade site, CEO Joe Miglio appears in a special video, attempting to reassure customers without offering any specifics while spreading the blame as widely and thinly as possible. To wit:
This issue is not unique to TD AMERITRADE. It's something that all companies involved in e-commerce should be aware of and prepared to address.
If this all seems vaguely familiar, it's because some Ameritrade customers have been besieged with pump-and-dump spam for well over a year -- several have gone so far as to create honeypot trading accounts just to prove that the source of the spam had to be Ameritrade. So far the company's response has ranged from pitiful to pathetic.
In a blog entry last June, I posited the optimistic view that perhaps Ameritrade shared its customers' email addresses with a business partner whose security procedures and/or ethics were less than first rate. Forgive me for quoting myself, but back then I wrote the following:
And that's really the best case scenario. Because a true security breach at Ameritrade -- something that opened up account and personal information to data thieves -- would be a far more serious thing than some spam designed to part fools from their money.
Guess what, sparky. The worst appears to have happened. In fact, according to IDG news reports it may have happened well over a year ago.
And while Ameritrade assures us "there is no evidence" customers' birthdates and Social Security numbers were taken (PDF), this doesn't mean they weren't -- it just means Ameritrade isn't aware of it. Given that smart identity thieves sit on this information for months, waiting for users to drop the fraud alerts on their accounts, we won't really know for years. We probably will never know.
As part of its damage control, the company is doing its best to characterize this as a spam issue, not an identity theft issue. But even if the attackers merely stole Ameritrade email addresses, they will likely use them to send phishing emails to capture user names and log ons. If a customer falls for that, well, it's off to the bank for the hackers. Can you say ka-ching?
Ameritrade is right that this is a Net wide problem -- just ask companies like Monster.com. But that doesn't mean the problem affects everyone equally. Some companies clearly do a better job of securing their customers' assets than others. Some companies are probably not doing such a good job but the news hasn't hit the blogosphere yet. And some companies couldn't locate their own derrieres with a map, a GPS transceiver, and a team of Navy Seals.
I wonder which category Ameritrade falls into. Any thoughts?