Cyber Incident Victim: Charles Schwab

On or around May 28, 2023, TD Ameritrade, Inc., an affiliate of Charles Schwab & Co., Inc., experienced a security incident. The breach was an external system breach involving hacking. The incident was part of a larger, international hacking event targeting the MOVEit Transfer software application, which was historically used by TD Ameritrade to share files. According to law enforcement, an international group of cyber criminals was responsible for hacking the MOVEit Transfer application to steal electronic files. This criminal activity impacted hundreds of organizations globally, including several U.S. government agencies. The breach at TD Ameritrade occurred over a period of three days, from May 28, 2023, to May 30, 2023.

The breach was not discovered until August 1, 2023. Upon discovery, immediate action was taken to contain the threat. The use of the MOVEit Transfer application was halted entirely to prevent any further unauthorized access or data exfiltration. Law enforcement agencies were alerted to the incident following its discovery. The incident did not impact TD Ameritrade’s or Charles Schwab’s core business operations or other internal systems. The compromise was confined to the MOVEit file-sharing platform.

The information acquired by the attackers included personal identifiers in combination with financial data. Specifically, the compromised data consisted of names along with financial account numbers or credit/debit card numbers. These financial identifiers were acquired in combination with their corresponding security codes, access codes, passwords, or PINs for the accounts. The total number of persons affected by this breach was 61,160. This figure included 143 residents of the state of Maine.

The company assessed that less than 0.5% of its total client base may have been affected by this incident. The primary consequence was the potential exposure of sensitive client information, which could be used for fraudulent purposes. Despite the data compromise, the incident did not result in any disruption to the firms' operational capabilities or their trading platforms.

The response included direct communication with the affected individuals. The type of notification provided to consumers was written notification. The dates for consumer notification were set for August 8, 2023. As part of the breach response, identity theft protection services were offered to the impacted individuals. These services were provided by IdentityForce and were offered for a duration of 24 months. The offering of these services was a protective measure to help monitor for and mitigate potential identity theft or financial fraud resulting from the exposure of personal and financial data.

Charles Schwab publicly addressed the incident on its website, confirming its connection to the broader international MOVEit hacking campaign. The company emphasized its focus on protecting clients and referenced its existing security guarantees, which cover losses due to unauthorized activity in client accounts. The firm stated that updates were being provided to the limited number of affected clients and that communication would be handled directly with them as appropriate. The incident was reported to the Office of the Maine Attorney General by counsel for the entities, fulfilling state data breach notification requirements. The submission to the Maine AG included a copy of the notice sent to affected Maine residents.