TD Ameritrade reveals that MOVEit attacks exposed thousands


TD Ameritrade, a US stockbroker, had over 60,000 clients exposed via the MOVEit Transfer attacks, with attackers taking the financial account data of some users.

Attackers accessed the data by exploiting a bug in the MOVEit Transfer software. The Cl0p ransomware gang has taken credit for the exploit, breaching hundreds of companies since late spring 2023.

According to a breach notification letter, which TD Ameritrade sent to people affected by the breach, the company’s investigation of the incident revealed that “unauthorized individuals accessed a TD Ameritrade application of the MOVEit Transfer software and stole data.”

The company said that no internal systems were impacted, and there’s been no disruption to its daily services. TD Ameritrade offers an electronic trading platform for users to trade financial assets such as stocks, futures, options, and other common financial instruments.

“The affected information included your name and Social Security number, and also may have included one or more of the following: financial account information, date of birth, government identification numbers, or other personal identifiers,” the company’s letter said.

According to the information TD Ameritrade provided to the Maine Attorney General, the breach exposed 61,160 individuals. The company said it immediately halted any use of MOVEit Transfer upon learning about the incident.

TD Ameritrade is a subsidiary of the American Charles Schwab investment and banking firm. The company enjoys quarterly revenues exceeding $5 billion.

TD Ameritrade’s alleged negotiation

The Cl0p ransomware gang has taken credit for the MOVEit attacks. So far, the spree of data breaches is estimated to have impacted over 600 organizations and nearly 40 million individuals.

In late July, Cl0p complained on its dark web blog that TD Ameritrade was not dancing to the crooks’ tune and threatened to publish the stolen data.

The gang included a long post detailing that TD Ameritrade offered to pay $4 million for the stolen data in several installments, a move the criminals received as a stalling technique.

However, many MOVEit victims, under advice from law enforcement and insurance companies, have chosen not to engage with the cybercartel, as experts say that making a deal with any hackers can leave the door wide open for future extortion.

Cl0p and MOVEit attacks

Cl0p is a Russia-linked ransom group claiming responsibility for exploiting a SQL database injection flaw in the MOVEit Transfer file system, impacting thousands of companies worldwide.

Named victims include American Airlines, TJX off-price department stores, TomTom, Pioneer Electronics, Autozone, and Johns Hopkins University and Health System.

Other prominent brand victims include Shutterfly, Warner Bros Discovery, AMC Theatres, Honeywell, Choice Hotels’ Radisson Americas chain, and Crowe accounting advisory firm.

Exclusive information, vetted by Cybernews, indicates that at least some of Cl0p’s affiliates might be residing in Kramatorsk, a Ukrainian city in the country’s embattled east. US officials are offering a $10 million bounty on the Cl0p gang.