12:25 PM -- Since we ran our first story about TD Ameritrade's major security breach last Friday, readers have been coming out of the woodwork to tell us their own stories about the problem. One thing is clear: Ameritrade had the information it needed to diagnose and report a breach long before it actually made its disclosure.
If you've been at the North Pole and haven't heard about it, TD Ameritrade last Thursday sent messages to all of its 6.3 million customers disclosing that their names, addresses, and email addresses had potentially been stolen through a hidden bit of malware attached to its customer database. (See TD Ameritrade Breach Affects 6.3M Customers.)
The brokerage said it had discovered the problem during the previous few weeks and that it had removed the malicious code. Users' Social Security information, which resides on the database, had not been touched, and TD Ameritrade said it had "no evidence" that the stolen data had been used for identity theft.
Like most other news media, we took the TD Ameritrade statements at face value because, quite honestly, there aren't too many other sources to ask when we hear about a security breach. And with laws that require swift disclosure in place, we had to assume that the recent discovery of the malware was TD Ameritrade's first indication that a breach had occurred.
Boy, were we wrong. Since we ran our initial story, we've received communications from three professionals stating that they had suspected a breach at Ameritrade since last fall. Two of them stated that they were receiving stock spam in email accounts that were set up specifically for Ameritrade.
The most compelling of these cases forms part of a class-action lawsuit that was filed against TD Ameritrade in May. The user cited in the suit states that he created an email account expressly for communicating with Ameritrade. Then, when that account began receiving stock spam, he moved his account to a different domain, with a different PC and different operating system. (See Lawsuit Raises Questions on TD Ameritrade Breach.)
Only two parties had the data about that email account Ameritrade and the user. And since the user had not given the account information to anyone, he knew that the spammers had gotten the email address from Ameritrade. The brokerage had been breached, he was sure, and he reported it to TD Ameritrade last October.
For many companies and under many states' disclosure laws this sort of evidence would have been enough to constitute a potential breach, requiring TD Ameritrade to report its suspicions to authorities and to customers who might potentially be affected.
But TD Ameritrade apparently decided that this evidence wasn't sufficient to merit a broad disclosure. It continued an internal investigation, apparently hoping to find and fix the problem before it became public. But seven months later, the brokerage still hadn't told its customers about the problem. The class-action suit was filed, in part, to force Ameritrade to disclose the potential breach which it did, finally, last week.
We'll probably never know for sure, but the predominance of evidence suggests that somebody at TD Ameritrade decided to gamble that the company could fix the problem and put a cap on it before it did any public damage. The only problem is this: It was gambling with the identities of its entire customer base. For almost a year, those customers were left in the dark, not knowing their personal information was at risk.
That's wrong. And even if TD Ameritrade escapes through a hole in some too-vague state breach disclosure law, they'll know it was wrong, too.
And so will their customers.
Tim Wilson, Site Editor, Dark Reading