MOVEit Breach Put Data of 61,000 TD Ameritrade Clients at Risk

A Charles Schwab location in New York

What You Need to Know

TD Ameritrade is one of hundreds of companies and government agencies affected by a cyberattack on a third-party file transfer system.
Client data compromised in the hack included names and Social Security numbers, the firm says.
Schwab reported in July that it had halted use of the MOVEit system and was working with law enforcement.

The personal data of more than 61,000 TD Ameritrade clients was exposed to hackers who breached an outside file transfer system, Progress Software’s MOVEit, according to an Aug. 3 Notice of Data Breach that the Charles Schwab-owned firm, which uses the software, sent to clients.

The breach was part of a broad criminal hacking operation related to a vulnerability in the MOVEit transfer software. The hacking operation has hit hundreds of companies and government agencies globally.

In the notice, TD Ameritrade outlined what occurred, the steps it’s taken to protect client information, and additional steps clients can take to ensure their information is further protected.

On May 30, the firm “became aware of a security incident involving MOVEit Transfer, a software application historically used by TD Ameritrade … to share files,” it said in the letter.

“Since learning of the incident, we have conducted a thorough investigation and determined that, between May 28, 2023, and May 30, 2023, unauthorized individuals accessed a TD Ameritrade application of the MOVEit Transfer software and stole data.”

TD Ameritrade said in its letter: “No other TD Ameritrade or Schwab systems or data were impacted, and all systems are operating normally. The results of our investigation have indicated that some of your personal information was included in the incident.”

See also  SEC Charges Lindsay Lohan, Other Celebrities With Crypto Violations

The affected information included client names and Social Security numbers, and “also may have included one or more of the following: financial account information, date of birth, government identification numbers, or other personal identifiers,” according to the firm.