There are plenty of news releases out there on TD Ameritrade’s data leak, but nowhere in those news releases does it mention the more important point. That point is buried in the e-mail from TD Ameritrade CEO Joe Moglia to its customers.

The database that was raided contained customer Social Security Numbers.

Here’s excerpts of the e-mail I received from TD Ameritrade — emphasis added by me:

TD AMERITRADE
___________________________________________

September 14, 2007

Let me tell you why I am sending you this email. While investigating client reports about the industry-wide issue of investment-related SPAM, we recently discovered and eliminated unauthorized code from our systems. This code allowed certain client information stored in one of our databases, including email addresses, to be retrieved by an external source.

Please be assured that UserIDs and passwords are not included in this database, and we can confirm that your assets remain secure at TD AMERITRADE.

What we want you to know:

- Once we discovered the unauthorized code, we took immediate action to eliminate it. We are confident that we have identified the means by which the information was accessed and have taken appropriate steps to prevent this from reoccurring.

[...]

While Social Security Numbers are stored in this particular database, we have no evidence to establish that they were retrieved or used to commit identity theft. To further protect you, we have hired ID Analytics, which specializes in identity risk, to investigate and monitor potential identity theft. ID Analytics provides identity risk services to many of the country’s largest banks and telecommunication companies, as well as government agencies. Following its initial evaluation, ID Analytics found no evidence of identity theft as a result of this data breach. We will retain its services on an ongoing basis to support your TD AMERITRADE accounts and to monitor for evidence of identity theft. We will alert and advise you if any is found. As always, we encourage you to remain alert in guarding your personal information, regularly review your account statements and monitor your credit activity from the major reporting agencies.

[... They then go on to talk about how to protect myself from identity threat. I imagine tip one should be "Don't use TD Ameritrade".]

Sincerely,

Joe Moglia
CEO
TD AMERITRADE

___________________________________________

I want to make sure everyone who reads this understands this. They not only exposed a database with PII to the outside world, but the exposure included SSNs. And while they don’t have evidence that SSNs were harvested, they also can’t say they weren’t because of their stupidity in exposing it in the first place.

How is this not behind layers of firewalls? If this were a government agency, there’d be hearings out the wazoo (trust me, I know). But they get to release a glossy little press release, and the major news outlets parrot their stance — that the only harm was a little extra spam.

This is utterly ridiculous.