Looks like we’ve had another data breach. TD Ameritrade is now notifying 6.3 million customers. If we use my ridiculously low estimate of $2 per notification, they just erased $12.6M from the books. I can think of a lot of good security technologies (and people) that cost less.
I’m being a bit of an ass and there are probably good people there, but we still can’t excuse these incidents. They’re also doing the right thing and paying for an ID theft investigation on top of their own internal investigations.
According to Dark Reading we know:
The company uncovered the malicious code in one of its databases during an audit, which is part of a stock spam investigation. Sources familiar with the breach said the code is not unlike the code used to steal data on 1.3 million users at Monster.com.
Based on that one line, I’d lay odds on SQL injection. But let’s take a poll (this is really just an excuse to test my new polling system):
[poll=2]
TD Ameritrade also said:
The brokerage firm says it is confident that it has identified the method in which the information was stolen and has taken the appropriate steps to prevent it from recurring.
I really hope they release this information to help the rest of us make informed decisions.
Reader interactions
5 Replies to “TD Ameritrade Breached- Let’s Take A Poll”
Rich’s TD Ameritrade poll – What do you think the real culprit for the compromise was?
The press release makes it sound like targeted malware, but there are a lot of levels of interpretation between the security experts doing the investigation and the PR flaks doing the press release. There seems to be some doubt, however, that Ameritrade could know that SSNs and other information didn’‘t get compromised. So I’‘ll present a reasonable scenario for how emails and names could get stolen from a database without SSNs and other information getting exposed:
Step 1: Marketing department “needs” to send out email to clients, and they’‘ve purchased software to do so.
Step 2: The audit committee says “whoa, wait a second, you can’‘t connect directly to our customer database.”
Step 3: A DB programmer is given instructions on what the marketing department’s email program needs. (S)he creates a routine that pulls out name, address, email, etc. from the customer database and spits it out onto a separate server
Step 4: The audit committee reviews the new DB and the export routine and determines that the routine is safe, but the server the data is going on to isn’‘t high enough security. Since there’s no SSN or highly sensitive information, remediation is given a lowish score.
Step 5 (optional): Something else in the marketing department gets really hammered by the audit committee—it gets fixed quickly and backs are patted all around.
Step 6: The audit committee gave our fateful database a low score for remediation, so nobody remediated. Maybe it had a single simple password to access it. Maybe it didn’‘t get patches applied quickly because it wasn’‘t a “production” server. Any way you can think of, it got pwned.
moved our little poll on this to the sidebar, and will post the results on Monday. I’m starting to think it might
Rich’s TD Ameritrade poll – What do you think the real culprit for the compromise was?
way, don’t forget to check out our survey and make your own best, uninformed,