SeekingFOUND: Heroic Whistleblower
Update (May ’10): Since early ’09, I’ve been receiving information that answers many questions about the breach. Since notified of the breach in October ’05, TD Ameritrade launched 4 related investigations. I know who ran each one and the detailed findings, if they come to light, will be very embarrassing to those who performed them. All of them were apparently designed to not find anything and provide plausible deniability. The Information Security department appeared to have ‘successfully‘ failed to find what many of their customers, including several prominent ones, knew: someone was stealing massive amounts of customer PII from their computer systems. But increasing pressure due to my lawsuit led to a fifth investigation, which found evidence of the problem. Later investigations were also apparently designed to – and ‘successfully’ failed to – find evidence of massive identity theft due to stolen Social Security Numbers. Those who were instrumental in these ‘successes’ were rewarded handsomely, while those who found evidence of the breach were punished severely. I’ve updated this post to publicly provide a bit more information from the whistleblower than what I had previously disclosed.
Help! I’m hoping a whistleblower will step up to provide additional info regarding the extent of the TD Ameritrade breach.
If you have whistle-blower information about what happened, please help. If you know anyone who works at any of these companies who could help, please speak to them. Think you might be able to help answer the many unanswered questions I have? Please contact me privately, such as by leaving a message for me using the comment feature; comments are moderated by me; private messages won’t be approved/posted publicly but rather read and archived privately.
Here’s what I surmise happened: At some point, presumably due to my lawsuit or the injunction filing, TD AMERITRADE finally started seriously looking into the breach we had informed them of eons earlier. Someone at TD AMERITRADE, or ID Analytics, or Mandiant, perhaps by placing canaries and watching for them on the wire, or through triggers, or tripwire tools, or malware search tools, found evidence that their
boxes had been compromised, e.g. a rootkit or backdoor or the active PII (Personally Identifying Information)-compromising code. Most likely, there was a combination of these people, tools and compromises involved. Then I think there was a game of telephone: info about the breach went from the actual investigator/researcher up through levels of management, between companies (say from Mandiant to ID Analytics to TD AMERITRADE, up through the brilliant PR folks to Joe Moglia, who made an announcement, and then other mouthpieces at TD AMERITRADE made announcements and wrote FAQs and financial reports based on that announcement. This would allow what happened and what was publicly reported to diverge considerably.
If for some reason you don’t want to deal with me, by all means, consider heading over to wikileaks.org! If you are paranoid (and you should be!) the good folks at wikileaks have some good ideas (http://www.wikileaks.org/wiki/Wikileaks:Submissions) on how to ensure your confidentiality. Even if you contact me directly, please read that page to have an idea of what you are up against. Sarbanes-Oxley and other applicable laws prohibit some retaliation against whistleblowers, but it still happens; anonymity is a far better tool. Be aware that organizations such as the NASD and FINRA are essentially *self-governing* bodies, i.e. their purpose is largely to protect companies like TD AMERITRADE! The SEC was informed of the issue in 2005; they didn’t take effective action. Update (May ’10): The SEC handled the complaint much like it handled the now-famous 2005 Markopol0s complaint that informed the SEC that Bernie Madoff was running the worlds largest Ponzi scheme, in which Markopolos, similarly, wrote in Red Flag #25: “The NASD and NASDAQ do not exactly have a glorious reputation as vigorous regulators untainted by politics or money!” Both complaints alleged and proved that there was a serious problem at one of Wall Street’s largest firms. In both cases, the SEC failed to take effective (or really, any) action.
Please be aware: I don’t disclose security problems irresponsibly; you shouldn’t assume I’d make everything you provide public. I’m happy to communicate in any reasonable form – phone, email, mail, web (e.g. reply to this post), or other methods (I’m good with VoIP, IRC, IM, SMS, anonymous email, S/MIME, PGP/GPG, gzip, PKZip, Winzip, RAR, tar, ftp, ssh, scp, winmail.dat, you name it.) Some basic contact info is here: http://www.elvey.com/it/contact.htm. If you want you can just email me: matthew (at) elvey.com, but put “earthshattering” in the Subject to ensure I get your message; that will bypass filters that could reject or discard your message; if you do that, then you can send me attachments up to 50MB in size.
I think Ameritrade is hiding behind ‘security by obscurity’ claims and admittedly brilliant PR. Please help me prove it.
(If only their Security were half as good as their PR … )