TD secrecy on tech breach irks advisers

Financial advisers are questioning the decision of TD Ameritrade Holding Corp. to keep them in the dark after hackers gained access to their clients’ Social Security numbers, account numbers, phone numbers and e-mail addresses. The Omaha, Neb.-based broker first discovered that it had a potential breach — and began investigating it — before July, when clients complained about spam being sent to e-mail addresses only TD Ameritrade could know existed, according to Kim Hillyer, a spokeswoman for the company. It found the offending code used to hack into its database about a month ago, she added. But not until Sept.14 did the firm reveal that a hacker breach was behind the spam — a deliberate delay that surprised some advisers. “I assumed if there was a problem, they would have told me about it,” said Brian Skaggs, principal of Skaggs Financial Planning LLC of Seattle. “The problem is, there could have been a problem from not knowing.” Mr. Skaggs is not alone in expressing concern about the timing, but it would have been premature to make an earlier disclosure, said J. Thomas Bradley Jr., president of TD Ameritrade Institutional of Jersey City, N.J. “I have heard that from some advisers,” he said. “If we had done it previous to [Sept. 14], we wouldn’t have had the facts” that the investigation revealed about the extent of the damage that was done, Mr. Bradley said. The fact is that Social Security numbers of legacy TD Waterhouse Group Inc. clients couldn’t have been stolen, because those clients’ information was on the merged database for such a short time, he said. And there is no evidence that legacy Ameritrade Holding Corp. clients suffered this loss, either, Mr. Bradley added. But despite the lack of proof that any harm was done, advisers feel that their sense of trust was undermined, said Michael McBride, president of McBride Financial Advisors LLC of Seattle, which manages $70 million. “They say we’re partners, but they don’t treat us like it,” he said. “Bradley sent out a letter to [advisers] after everybody knew about it. We got blindsided, because they didn’t tell us until they told the clients.” Yet TD Ameritrade worked hard to manage the fallout caused by the breach, Mr. Bradley said. “We took this incredibly seriously, and the communication was meticulously planned so the advisers would have time to get prepared,” he said. The press release announcing the problem and the letter of explanation from TD Ameritrade chairman and chief executive Joseph Moglia to advisers were sent at about the same time, Mr. Bradley said. Besides the letter and press release, customer service representatives were available on a 24-hour, seven-day-a-week basis for questions surrounding the security breach, he added. There were also two conference calls with him and Mr. Moglia Sept. 14, another Sept. 15 and another last Monday. Each call lasted as long as questions remained, Mr. Bradley said. But Scot Stark, principal of Stark Strategic Capital Management Inc. of Freeland, Md., said that TD Ameritrade ’s solicitousness after the fact didn’t make up for two months of what he regarded as obfuscation. “The worst problems result if you do not come clean right away,” he said. The problems were disclosed within 24 hours of getting back the results of the internal investigation, Mr. Bradley said.
But timing aside, advisers said their loyalty to TD Ameritrade is being severely tested, because this problem is just the latest in a string of breakdowns related to service and technology to occur this year. “Advisers like me want to remain loyal, but our clients are first and foremost,” said Andy Millard, principal of Main Street Financial Group Inc., a Tryon, N.C., firm with about $50 million in assets. But the hacker break-in has no connection to some of the technical issues and service breakdowns that occurred as a result of the merger of the TD Waterhouse and Ameritrade brokerage platforms, Mr. Bradley said. Those problems are in the past, he added. Indeed, Kevin Norris, president of Girard Partners Ltd. of King of Prussia, Pa., which manages $175 million, agrees with that observation. “In the past 30 days, putting aside the spam issue, we haven’t had any operational issues, so I think they’re getting back on track,” he said. Just two of Girard’s 350 clients called him about the problem, Mr. Norris added. “It turned out to be a non-event,” he said. But this “non-event” may actually be a very lucky break, said Robert Ellis, a New York-based analyst with Celent LLC of Boston. Dodging a bullet “They may have dodged a major bullet,” considering that the hackers gained access to the database containing account numbers and Social Security numbers but apparently didn’t steal them, he said. Indeed, promises that these numbers weren’t downloaded are only mildly reassuring, because identity theft could still happen, Mr. Stark said. “Really the only thing [TD Ameritrade] did was have ID Analytics [Inc. of San Diego] do an investigation and promise reimbursement of lost assets,” he said. “If you’re a client, you’re not going to be compensated for your inconvenience if your identity is stolen.” But advisers shouldn’t be so certain that TD Ameritrade won’t compensate for identification theft, Mr. Bradley said. “That’s a fair question” of ID theft raised by Mr. Stark, he said. “If a client experienced ID theft, we would certainly feel responsible, and we would step in.” Advisers are likely to swallow these promises of good faith — for now, said Mr. Millard, who was impressed with how Mr. Moglia conducted himself amid some bare-knuckle questioning by advisers during last Monday’s conference call. One adviser asked him why custody clients should maintain their relationship with TD Ameritrade. Although Mr. Moglia gave the usual assurances, the tone of his delivery resonated with advisers. “He could have said, ‘Go someplace else,’” Mr. Millard said. “He understood the frustration of the guy. But that can only go so far. You’ve got to perform.” Brooke Southall can be reached at bsouthall@crain.com.