Nearly 5 million customers' details stolen from brokerage firm

News by Max Metzger

Last year, Scottrade, a US broker, was subjected to a breach that saw a potential 4.6 million customers' records stolen. They only found out in August.

Nearly five million customers have had their details leaked after a breach on a US-based brokerage firm a year ago, and are only finding out now.

Customers of Scottrade, a retail brokerage firm, received an email last Friday detailing a breach that had happened over a year ago. That breach involved the theft of 4.6 million customers' details.  The email read: “Based upon our subsequent internal investigation coupled with  information provided by the authorities, we believe a list of client names and street addresses was taken from our system.”

The system that was breached contained addresses, names and social security numbers but in the email Scottrade stated it believed that the attackers were focused on contact information.

Mike Loginov of Ascot Barclay, a cyber-security firm, spoke to, expressing scepticism that the attackers just took contact information: “That to me would seem unusual and contrary to a typical compromise where the most valuable data is harvested as a priority.” But if the claim is true, “at best this  may be a statement from the hacker community that this organisation needs to get serious about the state of its systems security.”

Curiously, Scottrade made it clear to customers in the email that in its view it had not been compromised: “Importantly, we have no reason to believe that Scottrade's trading platforms or any client funds were compromised.” This could mean that the attackers were able to penetrate the system by stealing the details of someone who had the relevant credentials, or that the attacker could even be someone with relevant credentials.

While Scottrade has around three million customers, all of which were potentially affected by the breach, the breach may have affected as many as 4.6 million present and former customers. US law requires details to be kept on the company's records for several years even after business has ceased between the parties.

The attackers had access between late 2013 and early 2014 and Scottrade was alerted of the breach when the FBI told the company in August. So why has it taken so long for Scottrade to issue a warning to customers who may have already been further victimised by the criminals who stole their details?

Tim Erlin, director of security and product management at Tripwire, a cyber-security company, spoke to SC, offering some insight. Erlin maintained that: “The FBI is unlikely to explain in detail why notification of this breach took so long, but it's not uncommon for an ongoing investigation to delay notification so that criminals aren't tipped off.” He added: “Cyber-criminals behave more like an infestation than the usual metaphor of a burglar. Once they're inside, it takes more than a rolled-up newspaper to get rid of them.”

Shea Leordeanu, a spokesperson for Scottrade, assured SC that Scottrade is also offering any customers possibly affected by the breach, a full year of identity theft protection. She added: “We take information security very seriously and have taken numerous steps to further strengthen our network defences. Security is an ongoing process and we are committed to continually strengthening and evolving our defences based on new and emerging threats.”

This may well be a sign of things to come, according to Loginov. “With the average number of records being breached at a rate approaching 2,000 files every 60 seconds for the past four years it seems reasonable to expect pretty much all electronically stored records will have been compromised or exposed in the not too distant future.”

Europeans should not be complacent adds Loginov for while North America has mandatory breach disclosure laws: “We should not be complacent this side of the pond; the reality is that there is no reason to doubt that it's happening here to the same degree.” 

Brian Krebs, the investigative journalist who was among the first to report the breach, wrote on his blog that: “It may well be that the intruders were after Scottrade user data to facilitate stock scams, and that a spike in spam email for affected Scottrade customers will be the main fallout from this break-in.” A similar case, Krebs reported, played out a few months ago when New York prosecutors filed charges against five people, suspecting that the five had been involved in the theft of contact information in order to facilitate the manipulation of penny stocks.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews