TD Ameritrade database breach an inside job?

Share this article:
Was TD Ameritrade, which revealed on Friday that contact information for 6.3 million customers was stolen from one of its databases, victimized by an attack from an insider?

"This has all the signs of an inside job," Phil Neray, vice president of marketing at Guardium, told "I would say it's highly likely that is was done by a privileged administrator within Ameritrade."

In a video message on the company's website, Joe Moglia, TD Ameritrade's chief executive officer, said the company "recently discovered and eliminated unauthorized code" from the database. He also said the Omaha-based company is confident it knows the source of the breach.

The company said the stolen information included names, addresses and email addresses, plus a variety of account activity information including the number of trades its customers had conducted in the last six months. The company said there is no evidence that Social Security numbers, account numbers and birth dates in the database were stolen. In addition, passwords and user identification numbers were not in the database, and accounts opened after July 18 were not impacted.

While admitting "there's very limited information available now," Neray said the malicious code "could only be put there by someone with administrative access to the database."

"[Insider threats pose] a serious challenge for companies – most don't have systems in place for monitoring the actions of privileged insiders, and until recently, there weren't solutions available to monitor privileged insider use without disrupting performance on mission-critical systems," he said.

TD Ameritrade said it discovered the breach after customers said they had received spam offering unsolicited investment advice. The company did not reveal precisely when it learned about the breach.

Graham Cluley, a senior technology consultant at security firm Sophos, told that the breach is a public relations nightmare for TD Ameritrade.

"An obvious question is what kinds of security does Ameritrade have that confirms that the people accessing their network should be accessing their network?" he said.

Cluley said TD Ameritrade customers should continue to be wary of emails purporting to be from Ameritrade.

"They could receive not only regular spam in their in box, but pornography and bogus investment advice as to what to buy in pump-and-dump schemes," he said.

TD Ameritrade said it is working with several federal agencies, including the FBI, the Securities and Exchange Commission and the Financial Industry Regulatory Authority, to investigate the breach. It has also hired ID Analytics and Mandiant to investigate the break in.

That such a breach could occur at a large financial company is no major surprise, according to a study released March by the Ponemon Institute. That report said that nearly 60 percent of U.S. businesses and government agencies said they lack the information or the technology to deal with insider threats to their network. The report also revealed that 58 percent rely on manual audit and user-access controls of critical enterprise systems and data resources.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

WikiLeaks makes FinFisher surveillance software available to public

Copies of controversial surveillance software, called "FinFisher," were made available for public scrutiny by WikiLeaks.

Researcher challenges reports that BlackPOS variant struck Home Depot

Nuix believes the malware found on Home Depot's systems belongs to a different threat family.

Documents reveal NSA plans to map every internet connected device in the ...

Documents provided by Edward Snowden reveal that the NSA is looking to build a near real-time map of every single internet-connected device in the world.