Ameritrade Knew About Data Leak Long Before It Told Customers

from the quite-some-time,-it-seems dept

Mon, Sep 17th 2007 12:11pm — Mike Masnick

Late Friday, the news broke that TD Ameritrade is the latest in a long, long, long, long, long list of companies who have leaked data of its customers. In this case (as in many others) it was apparently due to their computers getting hacked. Considering how many similar stories we see, it almost didn't seem worth writing about. However, it appears that Ameritrade was well aware of the hacking long before they disclosed it. According to a lawsuit that was filed months ago, Ameritrade users had been receiving stock spam to unique email addresses provided only to Ameritrade as far back as October of 2006 -- and some of those users had reported this to Ameritrade. Then, back in May, Slashdot ran a detailed piece on the apparent leaking of Ameritrade email addresses, and even questioned why Ameritrade had not disclosed this breach, as is required under California law. The lawsuit, filed at the end of May, questions this as well. Yet, Ameritrade waited until now to disclose that their systems had been hacked, making email addresses available to people. Amusingly, Slashdot's report on this fails to note Slashdot's earlier story that helped spur the lawsuit and apparently pushed Ameritrade to finally investigate the claims. Either way, it raises questions about why Ameritrade waited this long to inform its customers that their emails had been leaked, despite pretty clear evidence of a leak from quite some time ago.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data leaks, notification, security
Companies: td ameritrade

12 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Zaxk, 17 Sep 2007 @ 12:23pm

These stupid corporations try to hide important things from people so they don't lose money.

THE COSTUMER COMES FIRST. BOTTOM LINE.
[ link to this | view in chronology ]
- DevJade, 17 Sep 2007 @ 12:34pm
  
  Re:
  ah yes, what wonderful society it would be those who wear costumes get the respect they deserve....
  [ link to this | view in chronology ]
- Kevin, 17 Sep 2007 @ 1:28pm
  
  Re:
  THE COSTUMER COMES FIRST. BOTTOM LINE.
  
  So which is it? Does the customer come first, or the bottom line? Because it looks like most companies these days are going with option #2.
  [ link to this | view in chronology ]
TheDock22, 17 Sep 2007 @ 12:49pm

No one wants to be made a fool...
...especially corporations. In a society of sue-happy people (rather than compromise) I can understand why they kept it a secret. Were they right to do so? Heck no! I would be mad too if my information was leaked from Ameritrade with no warning or options for me to fix it!
[ link to this | view in chronology ]
Chris, 17 Sep 2007 @ 12:59pm

Either way, it raises questions about why Ameritrade waited this long to inform its customers that their emails had been leaked, despite pretty clear evidence of a leak from quite some time ago.

Raises questions.. does it really? We all know why big corporations never come out with them, cover them up, or just outright don't even acknowledge something is wrong. They dont care, and never will until someone with a backbone makes them pay for it with a fine that actually HURTS their business. Sure slap a $140,000 lawsuit on them. It's pettycash, what do they care. The NFL suit for half a million; their tax rightoffs are bigger than that. The industry wants you to sue them, so that the next time it happens the outcome is already known. More frivilous lawsuits there are the more a judge is going to have to rely on everyone elses previous judgements of "I dont care just get me to my lunchbreak already" sort of mentality. Whine bitch and moan all you want on a blog, it'd be just as usefull as shouting at the board members face to face. The mechanism to push you aside and erase your complaint is already in place, it's called your business.
[ link to this | view in chronology ]
Anonymous Coward, 17 Sep 2007 @ 2:45pm

There is little or no legal penalty (relatively) for these data leaks.

Oh and the fact Slashdot's editors missed their own story that could tie in with this new one doesn't surprise me. For a while now they've had some inept editors. Such as the one that was mistagging everything 'Enlightening' as if it was the definition of the word and not the name of something.

Seriously has gone downhill for a while now.
[ link to this | view in chronology ]
Charles Griswold, 17 Sep 2007 @ 2:55pm

Slashdot's Reporting
Amusingly, Slashdot's report on this fails to note Slashdot's earlier story
It's may be amusing, but it's hardly surprising if you know the way that Slashdot's reporting works. It's very much ad-hoc.
[ link to this | view in chronology ]
Scott Evil, 17 Sep 2007 @ 4:05pm

I'm a victim!
I started receiving these on October 6, 2006 to an email address I only used with Ameritrade. I reported it immediately to them and also notified the SEC. I told Ameritrade that they had been hacked

I should have also notified the media. I was definitely upset that Ameritrade didn't disclose this within a month or 2.

As of Sept 12, 2007 I'm still receiving email to that address and reporting it to TD Ameritrade and the SEC. The email is stock spam and Storm worm infection email.
[ link to this | view in chronology ]
Scott Evil, 17 Sep 2007 @ 4:32pm

Email from TD Ameritrade
Looks like they had a bot on a critical system.
[ link to this | view in chronology ]
- Anonymous Coward, 17 Sep 2007 @ 4:33pm
  
  Re: Email from TD Ameritrade
  http://www.amtd.com/newsroom/releasedetail.cfm?ReleaseID=264044
  [ link to this | view in chronology ]
Derek Slater, 17 Sep 2007 @ 8:21pm

fines
It is particularly interesting to contrast current breach notification penalties (such as they are) with one individual, the Patriots' Coach B, getting fined a half-million for breaking a rule in football.
[ link to this | view in chronology ]
Patti, 18 Sep 2007 @ 1:19am

Earlier than that
I notified Ameritrade of their leak in August of 2006. In going back through my records, the first spam sent to my Ameritrade-tagged address was December 2005. How does 20 months strike you?
[ link to this | view in chronology ]