Millions affected by Scottrade brokerage breach that dates back two years

Missouri-based retail brokerage firm Scottrade has suffered a breach nearly two years ago, but they are only notifying their customers about it now, because they only found out about it now.

“Federal law enforcement officials recently informed us that they’ve been investigating cybersecurity crimes involving the theft of information from Scottrade and other financial services companies. Based on our investigation and information provided by federal authorities, we believe the illegal activity involving our network occurred between late 2013 and early 2014, and targeted client names and street addresses,” the company explained in an online cyber security update.

“Although Social Security numbers, email addresses and other sensitive data were contained in the system accessed, it appears that contact information was the focus of the incident,” they added. “We have no reason to believe that Scottrade’s trading platforms or any client funds were compromised. Client passwords remained fully encrypted at all times and we have not seen any indication of fraudulent activity as a result of this incident.

If you’ve opened an account with Scottrade prior to February 2014, you’ll probably receive (if you haven’t already) a letter or email from the company notifying you of the breach, which also contains an offer for a year of free identity protection services through AllClear ID, and advice on things to do in order to minimize the effect this breach might have on their lives.

All in all, some 4.6 million customer accounts have been compromised.

Customers have not been advised to change their passwords, but it might be a good idea, despite their claims that the passwords are encrypted.

“We encourage clients to be particularly vigilant against email or direct mail schemes seeking to trick you into revealing personal information,” the company also noted. According to Brian Krebs, it’s possible that the stolen data will be used to facilitate stock scams, i.e. to inundate the affected customers with penny stock offers and similar schemes.

“The reported breach of Scottrade continues to intensify doubts of our personal information being safe,” commented Ryan Wilk, Director at NuData Security. “The breach is of extreme concern due to 1) the expanse of the breach and 2) the personally identifiable information (PII) that was potentially compromised and 3) speculating other potential intent of the hackers.”

“What victims of a breach don’t always recognise is that every bit of information is important. Coupled with details from another breach, more comprehensive identities can be built and sold for a higher value to hackers. To authenticate people applying for credit, loans, mortgages and other financial services, banks will ask questions based on information in these compiled records. Additionally, this using this information could be used to manipulate stock prices in a pump and dump scheme,” he pointed out.

“This breach is yet another indicator that the time has come for the next evolution in our game of cat and mouse with the fraudsters – and there are two potential strategies: 1) Put individual responsibility on each and every organisation to deploy CIA level security (Not a realistic strategy, and even the CIA has been hacked), and 2) Take an industry wide approach to make the data useless to the fraudsters,” he noted. “The second approach interests me. Even if the data is accurate, if they can’t use it because better technology prevents them there will be no economic incentive to seek it out.”

“This breach will definitely and seriously undermine trust in Scottrade,” he concluded. “This continues the evolution of an era in which to better protect against fraud, a ‘layered approach’ for identity proofing is needed as recommended by Gartner.”




Share this