TD Ameritrade, which revealed on Friday that contact information for 6.3 million customers was stolen from one of its databases, was attacked by an insider, according to the vice president of marketing at Guardium."This has all the signs of an inside job," Phil Neray said. "I would say it's highly likely that is was done by a privileged administrator within Ameritrade."
In a video message on the company's website, Joe Moglia, TD Ameritrade's chief executive officer, said the company "recently discovered and eliminated unauthorised code" from the database. He also said the company is confident it knows the source of the breach.
The firm said the stolen information included names, addresses and email addresses, plus a variety of account activity information including the number of trades its customers had conducted in the last six months.
The company said there is no evidence that government issued numbers and birth dates in the database were stolen. In addition, passwords and user identification numbers were not in the database, and accounts opened after July 18 were not impacted.
While admitting "there's very limited information available now," Neray said the malicious code "could only be put there by someone with administrative access to the database."
"[Insider threats pose] a serious challenge for companies – most don't have systems in place for monitoring the actions of privileged insiders, and until recently, there weren't solutions available to monitor privileged insider use without disrupting performance on mission-critical systems," he said.
TD Ameritrade said it discovered the breach after customers said they had received spam offering unsolicited investment advice. The company did not reveal precisely when it learned about the breach.
TD Ameritrade said it is working with several US agencies, including the FBI, the Securities and Exchange Commission and the Financial Industry Regulatory Authority, to investigate the breach.