Ameritrade's Stock Spam Problem: The Timing Couldn't Be Worse

There has been some serious chatter about Ameritrade’s (AMTD) platform being compromised in some way, including the fact that customers’ accounts could be in jeopardy.

It seems that the minute that you sign up for a new Ameritrade account, you are bombarded with third party Ameritrade/stock spam. What does this mean? Somewhere during the client signup or login to Ameritrade, the user’s account information (E-mail address at a minimum) is being collected and used to resend spam back to the user. This would constitute a serious security breach. What else is being collected? Perhaps it’s not a software issue at all, but rogue employees of Ameritrade selling client information. How far does the penetration go, and where is it in Ameritrade’s system? Regardless of the mechanism of the breach, this is serious, and the responsibility to pinpoint the problem will ultimately come to unhappy regulators with Ameritrade customers holding pitchforks and torches right behind them.

Bennet Hasleton of Peacefire ran a test to see if he could duplicate and prove the problem exists. It does. He signed up for an Ameritrade account using an e-mail address consisting of 16 random alphanumeric characters, which would be extremely difficult to guess mathematically. He then kept the E-mail address private – he was the only one that knew it. Lo and behold, he began receiving Ameritrade spam at this address as soon as he completed the sign up process. This is clear proof of a serious security issue.

Read more about Bennet’s experiment here.

Ameritrade has issued a statement acknowledging the problem, which has sent the conspiracy-minded into overdrive. The following comment from Ameritrade is particularly suspect: "Please be sure to delete any spam you might receive, then empty your e-mail's trash so that it's no longer kept there, either." This doesn’t really serve any security function but cleverly removes (sort of) evidence from the user’s system. To delete it would be a prudent request, but emptying the trash?

The Ameritrade response:

We understand your concern and frustration over the spam e-mail you’ve received, and we want you to know that we take your privacy and security seriously. We will continue to do all we can to protect both.

Our investigation into this issue is ongoing. We’ve recently expanded the directions in which we’re investigating, and have doubled our efforts in both internal and external investigations. We’re looking at our own systems, and working closely with our vendors to examine theirs.

We continue to make progress and work very hard at investigating this issue, but unfortunately we still don’t have an update we can share with you at this time. We hope you understand that sharing details of exactly what we have learned so far can compromise the ongoing investigation.

Please be sure to delete any spam you might receive, then empty your e-mail’s trash so that it’s no longer kept there, either.

If you haven’t lately, you might want to review the Security Center online, which has details about spam, and also about the Asset Protection Guarantee. It protects you if you lose cash or securities from your account due to unauthorized activity. If that happens, we can guarantee we’ll reimburse you if you work with us in three ways: 1) keep your account information secure and confidential, 2) frequently check your account and report any suspicious activity to us immediately, and 3) take steps we request if your account is ever compromised.

We understand that this issue is a nuisance and that it’s troubling. And we thank you for your cooperation and patience as we get to the bottom of it.

Whatever the response from Ameritrade, it is clear that more light needs to be shed on this serious problem. This is clearly an issue that can affect shareholder value if Ameritrade trading volume declines and people close accounts because of lack of trust. There is significant downside risk here if this problem starts to receive national media attention. Remember that this is a financial company with highly valuable information like social security, trading and bank account numbers.

It’s also worth noting that ChoicePoint (CPT), the data broker that suffered a security breach in 2005, settled last week with 44 states and will pay a fine of $500,000. This is on top of the $15 million already levied by the FTC which was the largest civil penalty in FTC history.

ChoicePoint’s stock fell 21% within one month after the media exploited the story. Two years after the event, the stock still hasn’t recovered to its pre-incident high.

The timing of this couldn’t be worse. With mounting pressure on management to agree to a deal to be acquired by either E*Trade (ETFC) or Schwab (SCHW), which is being put forth by hedge funds JANA Partners and S.A.C. Capital Partners, this is not a good time to have the kind of serious structural issues that could blow up any deal. Hedge funds that are long can switch to short in an amazing amount of time.

If Ameritrade is confronted with a situation similar to ChoicePoint, expect the stock to excrete large volumes of pain.

AMTD 1-yr chart

Disclosure: No positions of any kind in either Ameritrade or ChoicePoint.