Charles Schwab and TD Ameritrade are the latest firms to be sued for a data breach related to the ongoing cyberattack exploiting the MOVEit file-transfer software.
The suit, filed Wednesday by David Schultz in the U.S. District Court for the District of Nebraska, states that Schwab and TD waited nine weeks before telling Schultz, along with approximately 61,000 Schwab customers, that the hack had occurred.
The attack this year on the MOVEit file transfer system was orchestrated by the Cl0P ransomware gang. At least 734 organizations have reported MOVEit-related breaches, according to KonBriefing Research. Those reports have affected at least about 43 million people.
The class-action suit against Schwab and TD comes as there's less than two weeks to go before TD Ameritrade advisors and their clients' accounts are scheduled to move to the Charles Schwab platform.
Schwab said in a statement shared with ThinkAdvisor that "Generic and conclusory allegations are often devoid of accuracy and context. Our focus is protecting our clients. We do that by not only standing by them in such matters but by thoroughly investigating any incident that may affect them. Our notification practices are consistent with our mission to see the world through our clients' eyes and are in keeping with our regulatory obligations."
Schwab, TDA Suit Details
According to the complaint against Schwab and TD Ameritrade, Schultz received a Notice of Data Breach letter dated Aug. 3, on or about Aug. 22 from TD Ameritrade Client Services.
The letter notified Schultz that on May 30, 2023, Schwab and TD "became aware of an alert issued by Progress Software — the company responsible for the MOVEit file transfer program."
The letter, according to the complaint, notified Schultz that after an investigation, Schwab and TD "discovered unauthorized access to their customers' personal information which includes, but is not limited to Plaintiff's name, Social Security Number, financial account information, date of birth, government identification numbers, and other personal identifiers."
Schultz was further advised that "he should spend time mitigating his losses by taking steps to help safeguard his information, including following recommendations by the Federal Trade Commission regarding identity theft protection and placing a fraud alert or security freeze on his credit file," the complaint states.