Breach, Threat Management, Data Security, Incident Response, TDR

TD Ameritrade database breach an inside job?

Was TD Ameritrade, which revealed on Friday that contact information for 6.3 million customers was stolen from one of its databases, victimized by an attack from an insider?

"This has all the signs of an inside job," Phil Neray, vice president of marketing at Guardium, told "I would say it's highly likely that is was done by a privileged administrator within Ameritrade."

In a video message on the company's website, Joe Moglia, TD Ameritrade's chief executive officer, said the company "recently discovered and eliminated unauthorized code" from the database. He also said the Omaha-based company is confident it knows the source of the breach.

The company said the stolen information included names, addresses and email addresses, plus a variety of account activity information including the number of trades its customers had conducted in the last six months. The company said there is no evidence that Social Security numbers, account numbers and birth dates in the database were stolen. In addition, passwords and user identification numbers were not in the database, and accounts opened after July 18 were not impacted.

While admitting "there's very limited information available now," Neray said the malicious code "could only be put there by someone with administrative access to the database."

"[Insider threats pose] a serious challenge for companies – most don't have systems in place for monitoring the actions of privileged insiders, and until recently, there weren't solutions available to monitor privileged insider use without disrupting performance on mission-critical systems," he said.

TD Ameritrade said it discovered the breach after customers said they had received spam offering unsolicited investment advice. The company did not reveal precisely when it learned about the breach.

Graham Cluley, a senior technology consultant at security firm Sophos, told that the breach is a public relations nightmare for TD Ameritrade.

"An obvious question is what kinds of security does Ameritrade have that confirms that the people accessing their network should be accessing their network?" he said.

Cluley said TD Ameritrade customers should continue to be wary of emails purporting to be from Ameritrade.

"They could receive not only regular spam in their in box, but pornography and bogus investment advice as to what to buy in pump-and-dump schemes," he said.

TD Ameritrade said it is working with several federal agencies, including the FBI, the Securities and Exchange Commission and the Financial Industry Regulatory Authority, to investigate the breach. It has also hired ID Analytics and Mandiant to investigate the break in.

That such a breach could occur at a large financial company is no major surprise, according to a study released March by the Ponemon Institute. That report said that nearly 60 percent of U.S. businesses and government agencies said they lack the information or the technology to deal with insider threats to their network. The report also revealed that 58 percent rely on manual audit and user-access controls of critical enterprise systems and data resources.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.