Hackers pop TD Ameritrade’s balloon

Last week online brokerage TD Ameritrade alerted over 6 million of its customers that a security breach had occurred with its customer database. The notification, though cleverly couched by TD Ameritrade as responsible disclosure, is of course a legal requirement in many states (stemming from the ground-breaking California Senate Bill 1386, first of its kind to mandate such disclosures.)

Even though the information accessible in the database was highly sensitive stuff (names, SSN’s, dates of birth, addresses, trading activity, and contact info) I suspect the REAL damage of this breach is yet to come. That information is a treasure trove for money-motivated thieves who would sell it on the black market (see the recent CSO blog entry “Destroy somebody’s life for just $20 per month.”)  The info is also a warchest full of potential phishing attacks waiting to be sprung. The combination of personal info and trading activity makes it a lot easier for industries attackers to fake a “concerned company” email and get unsuspecting victims to “update” their info and/or provide additional data.

The most disturbing aspect of the whole event is that it was found in the same way that so many security vulnerabilities are found — when the damage is already done. This one was discovered a couple of weeks ago when investment-related spam and malicious code was discovered on the brokers’ information system. The code allowed a hacker to access information stored in the database and TD Ameritrade has no confirmation of how much information was accessed or when.

Was it an insider or outsider? It doesn’t matter; the stark reality is that this system, like most information systems in production today, are woefully insecure and inadequately audited for security vulnerabilities… until it’s too late.

We have to stop hoping that regulatory compliance and state or federal laws will protect mission critical applications. Passing a SOX or PCI audit doesn’t mean your info systems are secure. Organizations need to take the next step beyond that — independently and frequently conduct technical audits on mission critical applications and information systems. You don’t have to do this for the bottom half (or even 80%) of your most critical applications, but you damn well better do it for your top 10-20%. In this case, the online trading system IS A HUGE PERCENTAGE OF THE TOTAL BUSINESS for TD Ameritrade (both individual and corporate customers utilize it). I know it’s impossible to secure anything absolutely, but I bet we’ll be writing and reading about this in a few weeks asking ourselves, “Gee… how did _that happen?”  Just like TJX, CardSystems, AT&T, ChoicePoint… and the list grows…