TD Ameritrade Discovers Database Breach

Email  Print Print  

My Roth IRA is with TD Ameritrade and this morning I received an email, included below, from TD Ameritrade CEO Joe Moglia in which they explained that unauthorized code gave someone access to a database that included email addresses and social security numbers. It’s the social security number part that scares me but as long as you’re on top of your credit reports (you get free ones each year), it should be okay.

I also noticed an uptick in unfiltered spam to my Gmail account linked to this TD Ameritrade account early this week and didn’t make a connection to any external accounts because I generally don’t use that Gmail account for anything other than friendly correspondence. This underscores the importance of having multiple email accounts for your important correspondence so you can get a better indicator of list selling and breaches before they’re announced. For example, if I always had TD Ameritrade correspondence sent to a Gmail account and ONLY that Gmail, any spam there would indicate some sort of list selling or a breach.

Is there much anyone can do about this? Like any other breach, nothing except be diligent in your review. What is comforting is that TD Ameritrade’s Asset Protection Guarantee, which protects your principal from things outside your control such as breaches, will cover everything if something happens.

Email included after the jump.

Let me tell you why I am sending you this email. While investigating client reports about the industry-wide issue of investment-related SPAM, we recently discovered and eliminated unauthorized code from our systems. This code allowed certain client information stored in one of our databases, including email addresses, to be retrieved by an external source.

Please be assured that UserIDs and passwords are not included in this database, and we can confirm that your assets remain secure at TD AMERITRADE.

What we want you to know:

* Once we discovered the unauthorized code, we took immediate action to eliminate it. We are confident that we have identified the means by which the information was accessed and have taken appropriate steps to prevent this from reoccurring.

* You continue to be covered by our Asset Protection Guarantee, which protects you and your assets from any unauthorized activity that may occur in your account through no fault of your own. If you lose cash or securities as a result of such activity, we will reimburse you for the cash or shares of securities you lost.

While Social Security Numbers are stored in this particular database, we have no evidence to establish that they were retrieved or used to commit identity theft. (emphasis mine) To further protect you, we have hired ID Analytics, which specializes in identity risk, to investigate and monitor potential identity theft. ID Analytics provides identity risk services to many of the country’s largest banks and telecommunication companies, as well as government agencies. Following its initial evaluation, ID Analytics found no evidence of identity theft as a result of this data breach. We will retain its services on an ongoing basis to support your TD AMERITRADE accounts and to monitor for evidence of identity theft. We will alert and advise you if any is found. As always, we encourage you to remain alert in guarding your personal information, regularly review your account statements and monitor your credit activity from the major reporting agencies.

{ 2 comments, please add your thoughts now! }

Related Posts

RSS Subscribe Like this article? Get all the latest articles sent to your email for free every day. Enter your email address and click "Subscribe." Your email will only be used for this daily subscription and you can unsubscribe anytime.

2 Responses to “TD Ameritrade Discovers Database Breach”

  1. Jonathan says:

    GMail gives you an easy way to figure out how spammers got your email address. Say your address is If you signing up with TD Ameritrade, you could give them the address Any mail sent to that address will go to your mailbox, making it very easy to determine who’s email database was sold/stolen/etc. If you start getting overwhelmed with spam at one of these addresses, you can set a filter to delete those messages (you should probably change your address with the company (or stop doing business with them)). Unfortunately, not all companies’ sign up forms will accept email addresses with the plus sign, but this works well for those that do.

  2. Jonathan, those are “disposable email addresses” or DEAs of the “plus-addressing” kind, which have been around far longer than GMail and are widely available. DEAs were crucial to my uncovering of this breach.

    Jim, you suggest that TD Ameritrade’s Asset Protection Guarantee is broader than it actually is; it only covers cash or securities at TD Ameritrade; any assets lost as a result of the breach not held in a TD Ameritrade account are not covered.

    Click on my name to visit my blog where I disclose more info on the breach, including new news about the lawsuit that led to that email.

Please Leave a Reply
Bargaineering Comment Policy

Previous Article: «
Next Article: »
Advertising Disclosure: Bargaineering may be compensated in exchange for featured placement of certain sponsored products and services, or your clicking on links posted on this website.
About | Contact Me | Privacy Policy/Your California Privacy Rights | Terms of Use | Press
Copyright © 2016 by All rights reserved.