Ameritrade may have been hacked since 2005

TD Ameritrade's systems may have been hacked in 2005

Online stock-trading firm TD Ameritrade was told on 9 January 2006 that its network may have suffered a security breach, according to a network security manager.

Despite the early warning from Joshua Fritsch, TD Ameritrade only confirmed last week that 6.2 million customer names, email addresses and phone numbers had been stolen by hackers.

However, Fritsch said that the spam email that was being sent in January 2006 showed that the network may have been compromised much earlier.

"I warned TD Ameritrade of a security breach in January 2006 which means that it is likely to have occurred in mid to late 2005," Fritsch told Network World magazine.

Fritsch, who has 15 years' experience of networking, said that he was first alerted to the problem because he created a specific email address for use with TD Ameritrade that he did not use elsewhere.

"It was never distributed anywhere else," he warned TD Ameritrade via a web feedback form. "Thus, your database has been compromised either by a hacker, or one of your employees selling the data."

TD Ameritrade's response claimed that the spam sent to that address had probably been part of a brute-force attack, where spam bots try every kind of address, or by a dictionary-type attack that used well-known words.

"We have no reason to believe that any of our systems have been compromised, " the company's reply said.

"Ameritrade deploys state-of-the-art firewalls, intrusion detection, antivirus software as well as full-time staff dedicated strictly to information security and protecting Ameritrade's systems from unauthorised access."

Fritsch replied again, suggesting that the company needed to review its secur ity practices.

"I and the man who hosts the receiving email server are both computer and network security specialists. If a full-blown dictionary spam attempt had been made, the source would have been cut off long before it got to the combination of 'ameritrade'," he said.

Ameritrade responded this time by saying that the concerns had been passed on to management.

Fritsch's next warning was sent in August 2006, including samples of the spam emails being received.

It was at this point that Ameritrade admitted that it was "conducting a thorough investigation into this matter".

This week's announcement that data had been stolen from its systems came one year after that statement.

TD Ameritrade is currently being sued by some of its users over the spam they received.