TD AMERITRADE releases the results of its client SPAM investigation. What you should know:
While investigating client reports of SPAM, we recently discovered
and eliminated unauthorized code that allowed an external source to
retrieve certain client information from one of our databases.
At no time were clients' financial assets held at TD AMERITRADE
touched as a result of this issue. UserIDs and passwords were not
stored in this particular database.
Although sensitive information, like Social Security Numbers, is
stored in this database, we've concluded that this information
belonging to our legacy TD Waterhouse clients was not taken.
We also have no evidence that this information belonging to our
legacy Ameritrade clients was taken and have further validated with a
third-party expert that there is no evidence that any of our clients
have been subject to identity theft as a result of this issue.
We are confident that we have eliminated the unauthorized code and
have taken the actions necessary to prevent it from recurring.
This issue is larger than TD AMERITRADE and is something that all
companies involved in e-commerce should be aware of and prepared to
address. We participate in industry peer groups to share information on
these types of threats in the interest of protecting all of our clients.
We understand that the increase in unwanted SPAM caused by this
issue is annoying and an inconvenience to clients. We sincerely
apologize for that and any added concern this may have caused.
For additional information, please see the FAQs provided below.
Through
an ongoing investigation of stock-related SPAM, we recently discovered
and eliminated unauthorized code from our systems that allowed a third
party to retrieve certain client information stored in one of our
databases.
We found the code, eliminated it and put in steps to prevent it from recurring.
While this issue may have created an increase in SPAM for our clients, you should know that the assets in our clients' accounts held with us remain secure. Account UserIDs and passwords, which are necessary to access an account, were not stored in this particular database.
What are you doing about it?
We eliminated the unauthorized code identified in our systems and made changes to prevent this issue from recurring.
We
contacted the proper authorities and are working with them to track
down responsible parties. We are communicating with our clients and are
addressing their questions as they are raised.
We have also
hired a third party, ID Analytics, which specializes in identity risk,
to monitor potential identity theft. After a thorough initial
evaluation, the firm found no evidence of identity theft as a result of
this issue. We are retaining its services on an ongoing basis to
continue to monitor for evidence of identity theft.
Who is ID Analytics, and what specifically will they do for TD AMERITRADE?
ID
Analytics, Inc. is a San Diego-based company that specializes in
identity risk. Many of the country's largest banks, wireless carriers,
healthcare providers, retailers, mortgage companies and government
entities rely on its services to prevent identity fraud.
You
should know that ID Analytics has passed an extensive on-site security
audit, which we require of all our vendors and especially those that we
entrust with our clients' information. ID Analytics is monitoring
potential identity theft for us as a result of this issue.
For more specific information on its processes, please visit www.idanalytics.com.
What information was taken from the database, and who is affected?
This particular database included information on clients, accounts, demographics and trading activity.
We
do know that information such as email addresses, names, addresses,
phone numbers, and other miscellaneous account information, such as
number of trades placed in a given time period was retrieved from this
database and that this activity affected TD AMERITRADE retail and
institutional clients who were clients prior to July 18.
While
more sensitive information like account numbers, date of birth and
Social Security Numbers was also stored in this particular database, we
have no evidence that it was retrieved or used to commit identity
theft. In fact, we have been able to conclude that this
sensitive information belonging to our legacy TD Waterhouse retail and
institutional clients was not retrieved.
How do you know that this sensitive information, like Social Security Numbers, hasn't been leaked or misused?
After
extensive investigations involving outside forensics experts, we have
no evidence that this sensitive personal information was taken.
That
is one of the reasons why we have also hired ID Analytics. Its initial
investigation has concluded that there is no evidence of identity theft
as a result of this issue.
Because of our ongoing investigation, we will not provide additional details.
If
information such as email addresses has been compromised for the legacy
TD Waterhouse clients, how can you be certain that more sensitive
information was not?
Information
on our legacy TD Waterhouse clients has been stored in this database
for a shorter time. Because of this, we have been able to conclude that
this sensitive information was not retrieved.
Does this issue affect new accounts as well? At what point are clients not affected?
Through
our investigation we have been able to establish that any new client
who opened an account at TD AMERITRADE after July 18, 2007, is not
affected.
How long has this issue been going on?
Unfortunately,
the issue of SPAM is an industry issue that has been increasing over
the past few years. There are many different SPAM campaigns that affect
almost every person with an email address. We were investigating a
stream of stock-related SPAM sent to our clients when we discovered
this particular issue. The investigation had been going on for some
time.
Because of our ongoing investigation, we cannot provide
further details. One of the most important things is that we have
eliminated the unauthorized code and taken action to prevent it from
recurring.
Don't you have systems in place to prevent intrusions such as these?
Yes.
However, for the security of these systems, and so as to not compromise
the ongoing investigation, we will not provide further details about
the intrusion.
Have you discovered the perpetrator(s)? When will you have more information?
We
are working with the appropriate authorities to track down the
perpetrators and to gather as much information as possible as quickly
as possible for the benefit of our clients.
Have any of your peers been affected by this same issue?
We
do not know at this point, as we are focused on the issue internally to
protect our clients and their assets. However, we do know that SPAM is
an industry concern.
We also know that criminals are increasingly using the Internet to commit fraudulent activities.
We
believe this a problem that is broader than just our peers and that all
companies should be aware of and prepared to address it. We participate
in an industry peer group to discuss these matters in the interest of
protecting all of our clients.
What can clients do? How can they tell whether or not their information is secure?
Clients do not need to do anything with their accounts, other than remain alert in guarding their personal information.
Clients
can change their account password(s) - it's not necessary, but clients
are welcome to do so and should do so regularly as a matter of best
practices
Clients can contact one of the three credit bureaus and request a copy of their credit report.
For more information, clients can visit the TD AMERITRADE online Security Center, for more tips and helpful information that relates to information security.
Are clients at risk for identity theft?
We believe it is unlikely that identity theft will occur as a result of this issue.
While
more sensitive information such as account numbers, date of birth and
Social Security Numbers was stored in this database, we have no
evidence to establish that it was retrieved or used to commit identity
theft. In fact, we have been able to conclude that this sensitive
information belonging to our legacy TD Waterhouse retail and
institutional clients was not retrieved.
Remember, we have hired
ID Analytics to monitor for potential identity theft. We are retaining
their services on an ongoing basis to further help support our clients'
accounts by continually monitoring for evidence of identity theft.
We
also remind our clients that if some unauthorized activity were to take
place in TD AMERITRADE accounts, clients are protected through our Asset Protection Guarantee.
Has this happened before to TD AMERITRADE?
No. We have made changes to our systems to prevent it from recurring.
Do you have another question that hasn't been answered?
Please submit your question using the form below. Fields marked with an * are required.