TD Ameritrade client data stolen in computer breach

OMAHA - Online brokerage TD Ameritrade Holding Corp. said yesterday that one of its databases was hacked and contact information for its more than 6.3 million customers was stolen.

A spokeswoman for the Omaha-based company said more sensitive information in the same database, including Social Security numbers and account numbers, does not appear to have been taken.

The company would not share many details of its investigation, including when the hack took place, because it is still looking into the theft and cooperating with investigators from the FBI, Securities and Exchange Commission, Financial Industry Regulatory Authority, and local authorities.

Ameritrade's customers have received unwanted e-mail ads because of the data theft. Spokeswoman Katrina Becker said there is no evidence that any customer suffered financial losses or was a victim of identity theft.

Becker would not say why the company was confident that Social Security numbers had not been taken.

Other Ameritrade databases where information such as passwords, user IDs, and personal identification numbers are kept were not violated, the company said.

Ameritrade plans to notify its customers about the data theft, and the brokerage posted information about it on its Web site.

"While the financial assets our clients hold with us were never touched, and there is no evidence that our clients' Social Security Numbers were taken, we understand that this issue has increased unwanted spam, which is annoying and inconvenient for them," chief executive officer Joe Moglia said in a statement. "We sincerely apologize for that and any added concern this may have caused."

Ameritrade is telling customers they don't need to do anything with their accounts except "remain alert in guarding their personal information." The company's asset-protection guarantee would cover any losses in Ameritrade accounts because of identity theft or fraud.

Ameritrade said it was confident that it identified how the information was stolen, and it has changed its computer code enough to prevent the theft from recurring. It said any client who opened an account after July 18 was not affected.

Ameritrade discovered the breach in its system during a routine review of complaints about e-mail ads, and repaired it only recently, spokeswoman Kim Hillyer said. But the company's investigation was able to determine that the database had not been hacked after July 18.

"As soon as we found the issue and were able to stop it, we made plans to notify clients," Hillyer said.

Ameritrade hired ID Analytics Inc., which has expertise in identity theft, to help with the investigation, and it plans to continue using the San Diego company to monitor its servers for potential identity theft.

Hackers who steal e-mail addresses typically resell them to Internet-savvy criminals, said Alan Paller, the director of research at the SANS Institute, an organization in Bethesda, Md., that monitors hacking incidents and offers Internet security courses.

Stock promoters may use the stolen e-mail to pump up share prices so they can sell their holdings at a profit, Paller said.