A pending class action lawsuit against TD Ameritrade alleges that the brokerage firm had evidence of the security breach that it disclosed last week nearly a year ago but failed to report it.

In a letter to customers last week and a subsequent press release, TD Ameritrade revealed that it has discovered "malicious code" in a customer database that enabled attackers to steal the names, addresses, and email addresses of its entire base of 6.3 million customers. (See TD Ameritrade Breach Affects 6.3M Customers.)

The company said it uncovered the malicious code "recently" in an audit that was spurred by reports of an unusual amount of stock spam reported previously by its customers. A spokesperson says the company did not know its database had been breached until the malicious code was discovered in the past few weeks.

But according to the lawsuit, Ameritrade customers presented the company with evidence of the breach nearly a year ago. "It's the most irresponsible lack of disclosure I have ever seen," says Scott Kamber, a legal expert on electronic privacy and lead counsel for the lawsuit, which is currently seeking certification to become a class action on behalf of all Ameritrade customers.

The lawsuit sought an injunction against Ameritrade to force the brokerage to disclose the breach to customers and the public. A judge would have ruled on that injunction tomorrow if TD Ameritrade hadn't made those disclosures last week, Kamber says.

Ameritrade does not comment on pending court cases and declined to respond to the allegations or give further details on the timing or the specific nature of the breach. The spokesperson did confirm that the company has known about the spam complaints for some time. But it did not know about the malicious code or the breach until it was discovered in a recent audit, she says.

The lawsuit hinges on testimony of Matthew Elvey, a careful customer who created an email account specifically for use with Ameritrade. Elvey became suspicious when he began receiving stock spam in the account, because only he and Ameritrade knew it existed, according to the suit.

Elvey alerted Ameritrade of his suspicions in October of 2006 -- and then, to be certain, he moved his Ameritrade account to a new, dedicated email account that was on a separate machine, running a separate operating system. Before long, that account began to receive stock spam as well.

"At that point, there should have been no question in anyone's mind that Ameritrade's customer data had been violated somehow," Kamber says. Yet the company did not inform users or authorities about the threat, and continued to use the database, he contends.

The spokesperson confirmed that the database continued to be used, even after the reports of heightened stock spam were reported. New customers continued to be added, she said, but customers who were added after July 18 have been determined to be unaffected by the breach.

Security firm Sophos earlier today said it has already gained proof that hackers are trying to exploit the stolen addresses for commercial gain. The company says it has spotted a phishing campaign in which cybercriminals try to coax recipients to a spoof TD Ameritrade site in an attempt to capture user IDs and passwords.

"We've already spotted spear-phishing campaigns where criminals send emails posing as TD Ameritrade in order to extract additional personal information," said Graham Cluley, senior technology consultant at Sophos. "TD Ameritrade customers the world over should be extra vigilant about responding to emails from the company and should immediately check to ensure that their accounts haven't been fiddled with."

TD Ameritrade still hasn't revealed much about how the malicious code was found, where it resided, or what systems it affected. Many experts have been wondering about TD Ameritrade's claim that Social Security numbers -- which reside on the same database as the names and email addresses that were stolen -- were not compromised. Logically, any method used to extract the email data should also have given the attackers access to the SSNs as well, they say.

The spokesperson declined to give details, but she said the determination that the Social Security information was not compromised was made by computer forensics firm ID Analytics, which is investigating the breach on TD Ameritrade's behalf.

But Kamber says the real issue still is what TD Ameritrade knew, and how it reacted. "The evidence suggests that they deliberately kept the lid on the problem until they knew its source, when they should have disclosed it much earlier."

If TD Ameritrade is not censured for the delay, the case could set a dangerous precedent that encourages other companies to hold off on their breach disclosures until they have found and fixed the problem, he explains.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.