October 2, 2015

Welcome to Day 2 of Cybersecurity (Breach) Awareness Month! Today’s awareness lesson is brought to you by retail brokerage firm Scottrade Inc., which just disclosed a breach involving contact information and possibly Social Security numbers on 4.6 million customers.

scottradeIn an email sent today to customers, St. Louis-based Scottrade said it recently heard from federal law enforcement officials about crimes involving the theft of information from Scottrade and other financial services companies.

“Based upon our subsequent internal investigation coupled with information provided by the authorities, we believe a list of client names and street addresses was taken from our system,” the email notice reads. “Importantly, we have no reason to believe that Scottrade’s trading platforms or any client funds were compromised. All client passwords remained encrypted at all times and we have not seen any indication of fraudulent activity as a result of this incident.”

The notice said that although Social Security numbers, email addresses and other sensitive data were contained in the system accessed, “it appears that contact information was the focus of the incident.” The company said the unauthorized access appears to have occurred over a period between late 2013 and early 2014.

Asked about the context of the notification from federal law enforcement officials, Scottrade spokesperson Shea Leordeanu said the company couldn’t comment on the incident much more than the information included in its Web site notice about the attack. But she did say that Scottrade learned about the data theft from the FBI, and that the company is working with agents from FBI field offices in Atlanta and New York. FBI officials could not be immediately reached for comment.

It may well be that the intruders were after Scottrade user data to facilitate stock scams, and that a spike in spam email for affected Scottrade customers will be the main fallout from this break-in.

In July 2015, prosecutors in Manhattan filed charges against five people — including some suspected of having played a role in the 2014 breach at JPMorgan Chase that exposed the contact information on more than 80 million consumers. The authorities in that investigation said they suspect that group sought to use email addresses stolen in the JPMorgan hacking to further stock manipulation schemes involving spam emails to pump up the price of otherwise worthless penny stocks.

Scottrade said despite the fact that it doesn’t believe Social Security numbers were stolen, the company is offering a year’s worth of free credit monitoring services to affected customers. Readers who are concerned about protecting their credit files from identity thieves should read How I Learned to Stop Worrying and Embrace the Security Freeze.


28 thoughts on “Scottrade Breach Hits 4.6 Million Customers

  1. Gamma

    This is classical penny stocks pump the price motivated attack but on the much lower scale than the J.P Morgan incident. It’s sad that the company firstly learnt about breach from federal law enforcement instead from their security team and that the breach went unnoticed for almost 2 years.

  2. Chip

    Hmmm….interesting, wonder if this is all Scottrade customers or some subset. If all it will be interesting to see how long it takes them to notify everyone, nothing in my e-mail yet.

  3. George G

    Thanks, Brian, for the news.

    I have been a Scottrade customer for years, yet I have not received any email from the on this.

  4. Robert.Walter

    Having moved a number of brokerage accounts for my mother this spring, I was surprised how easy (and free) it is to move accounts from one brokerage house to another.

    I suggest that customers impacted by this breach vote with their mouses and move to a house that seriously values the protection of customer assets and PII.

  5. dbalad

    Yea, they encrypted my password; wait my Social Security Number was not encrypted?? What the hell?

    1. Anthony

      Unlike a lot of US breaches however, credit card information was not compromised.

      … and it’s still unlikely when POS systems get hacked here, the vast bulk of card readers (since move to CnP) being owned by a bank or processor (Eg. Tyro) and encrypting from the PIN pad through to the bank, such that the POS equipment never ever even sees the full card details and the PIN pad firmware updates are controlled by the supplying bank or processor.

      Some exceptions around things like car park terminals, but generally an in store experience here is going to involve a bank or processor provided terminal.

  6. Nobody_Holme

    I realise people are daft and fall for Nigerian princes, but how on earth do penny stock scams actually work?

    Surely everyone who has enough to trade in stocks and shares either has enough clue not to fall for it or has their broker do all the work, who would then alert them to what the stock might well be when told to invest (because it’s in their own interest to do so to avoid the loss to the client and thus their own status etc?)

    What am I missing here? Is it really that easy to do on your own with no interaction with a broker?

    1. dbalad

      How do you make money on penny stock scams, see Def Con 17 presentation Stealing Profits from Stock Market Scammers on YouTube for an outline of how it is was done in the past.

    2. Steph

      Two kinds of people fall for pump-and-dump scams: (a) some people are just that naive; (b) people who know it’s a scam and think they can sell while the price is rising before the scammers do.

  7. Mike

    “…..Cybersecurity (Breach) Awareness Month!”

    lol

    Interesting that it’s the same month as Halloween.

    Trick or treet! (Hack’n tweet)

    Let’s bet on how fast we can trade these compromised customer accounts…..we might just get it pushed out before the first ID theft can be made public.

  8. j

    My wife received a Scott Trade email yesterday. I don’t bank there.

    Here it is:
    =========

    Dear Client:

    We are writing to share with you important information about a security compromise involving a database containing some of your personal information, as well as steps we are taking in response, and the resources we are making available to you.

    What Happened

    Federal law enforcement officials recently informed us that they’ve been investigating cybersecurity crimes involving the theft of information from Scottrade and other financial services companies. We immediately initiated a comprehensive response.

    Based upon our subsequent internal investigation coupled with information provided by the authorities, we believe a list of client names and street addresses was taken from our system. Importantly, we have no reason to believe that Scottrade’s trading platforms or any client funds were compromised. All client passwords remained encrypted at all times and we have not seen any indication of fraudulent activity as a result of this incident.

    Although Social Security numbers, email addresses and other sensitive data were contained in the system accessed, it appears that contact information was the focus of the incident.

    The unauthorized access appears to have occurred over a period of several months between late 2013 and early 2014. We have secured the known intrusion point and conducted an internal data forensics investigation on this incident with assistance from a leading computer security firm. We have taken appropriate steps to further strengthen our network defenses.

    What Happens Now

    Federal authorities had requested that they be allowed to complete much of their investigation before we notified clients. In coordination with them, we are now able to alert you of this incident. We are fully cooperating with law enforcement in their investigation and prosecution of the criminals involved.

    Notices like this one are being sent to all individuals and entities whose information was contained in the affected database, and we have included here information about steps you can take to protect yourself.

    Information about this incident is available online at https://About.Scottrade.com/CyberSecurityUpdate, and we will update that web page if new data becomes available.

    What You Can Do

    As always, we encourage you to regularly review your Scottrade and other financial accounts and report any suspicious or unrecognized activity immediately. As recommended by federal regulatory agencies, you should remember to be vigilant for the next 12 to 24 months and report any suspected incidents of fraud to us or the relevant financial institution. Please also read the important information included on ways to protect yourself from identity theft.

    We encourage clients to be particularly vigilant against email or direct mail schemes seeking to trick you into revealing personal information. Never confirm or provide personal information such as passwords or account information to anyone contacting you. Please know that Scottrade will never send you any unsolicited correspondence asking you for your account number, password or other private information. If you receive any letter or email requesting this information, it is fraudulent and we ask that you report it to us at phishing@scottrade.com. Be cautious about opening attachments or links from emails, regardless of who appears to have sent them.

    Identity Theft Protection

    As a precaution, Scottrade has arranged with AllClear ID to help you protect your identity at no cost to you for a period of one year. You are pre-qualified for identity repair and protection services and have additional credit monitoring options available, also at no cost to you.

    You can call AllClear ID with any concerns about your identity at 855.229.0083. This hotline is available from 8:00 am to 8:00 pm (central) Monday through Saturday.

    We have also included additional steps you could consider at any time if you ever suspect you’ve been the victim of identity theft. We offer this out of an abundance of caution so that you have the information you need to protect yourself.

    We are very sorry that this happened and for any uncertainty or inconvenience this has caused you. We know that incidents like these are frustrating. We take the security of your information very seriously and are committed to continually strengthening and evolving our defenses based on new and emerging threats.

    Sincerely,
    Scottrade

    Brokerage products and services offered by Scottrade, Inc. – Member FINRA and SIPC.

    AllClear ID Identity Theft Protection

    We have arranged to have AllClear ID help you protect your identity for one year at no cost to you, effective Oct. 2, 2015. You are pre-qualified for AllClear SECURE identity repair and protection services and have additional credit monitoring options available with AllClear PRO, also at no cost to you.

    AllClear SECURE: The team at AllClear ID is ready and standing by if you need identity repair assistance. This service is automatically available to you with no enrollment required. If a problem arises, simply call 855.229.0083 and a dedicated investigator will do the work to recover financial losses, restore your credit and make sure your identity is returned to its proper condition.

    AllClear PRO: This service offers additional layers of protection including credit monitoring and a $1 million identity theft insurance policy. To use the PRO service, you will need to provide your personal information to AllClear ID. You may sign up online at https://scottrade.allclearid.com or by phone by calling 855.229.0083.

    This hotline is available from 8:00 am to 8:00 pm (central) Monday through Saturday.

    Please note: Additional steps may be required by you in order to activate your phone alerts and monitoring options.

    Important Identity Theft Information: Additional Steps You Can Take to Protect Your Identity

    The following are additional steps you may wish to take to protect your identity.

    Review Your Accounts and Credit Reports

    Regularly review statements from your accounts and periodically obtain your credit report from one or more of the national credit reporting companies.

    You may obtain a free copy of your credit report online at http://www.annualcreditreport.com by calling toll-free 1.877.322.8228, or by mailing an Annual Credit Report Request Form (available at http://www.annualcreditreport.com) to: Annual Credit Report Request Service. P.O. Box 105281, Atlanta, GA, 30348-5281. You may also purchase a copy of your credit report by contacting one or more of the three national credit reporting agencies listed below.

    • Equifax, P.O. Box 740241, Atlanta, Georgia 30374-0241. 1.800.685.1111. http://www.equifax.com
    • Experian, P.O. Box 9532, Allen, TX 75013, 1.888.397.3742. http://www.experian.com
    • TransUnion, 2 Baldwin Place, P.O. Box 1000, Chester, PA 19016. 1.800.916.8800. http://www.transunion.com

    Consider Placing a Fraud Alert

    You may wish to consider contacting the fraud department of the three major credit bureaus to request that a “fraud alert” be placed on your file. A fraud alert notifies potential lenders to verify your identification before extending credit in your name.

    Equifax: Report Fraud: 1.800.525.6285
    Experian: Report Fraud: 1.888.397.3742
    TransUnion: Report Fraud: 1.800.680.7289

    Security Freeze for Credit Reporting Agencies

    You may wish to request a security freeze on your credit reports. A security freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing or other services. If you have been a victim of identity theft, and you provide the credit reporting agency with a valid police report, it cannot charge you to place, lift or remove a security freeze. In all other cases, a credit reporting agency may charge you up to $10.00 each to place, temporarily lift, or permanently remove a security freeze.

    To place a security freeze on your credit report, you must send a written request to each of the three major consumer reporting agencies by regular, certified or overnight mail at the following addresses:

    • Equifax Security Freeze, P.O. Box 105788, Atlanta, GA 30348
    • Experian Security Freeze, P.O. Box 9554, Allen, TX 75013
    • TransUnion Security Freeze, Fraud Victim Assistance Department, 2 Baldwin Place, P.O. Box 1000, Chester, PA 19016

    To request a security freeze, you will need to provide the following:

    • Your full name (including middle initial, Jr., Sr., Roman numerals, etc.)
    • Social Security number
    • Date of birth
    • Address(es) where you have lived over the prior five years
    • Proof of current address such as a current utility bill
    • A photocopy of a government-issued ID card
    • If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft
    • If you are not a victim of identity theft, include payment by check, money order, or credit card (Visa, MasterCard, American Express or Discover only). Don’t send cash through the mail.

    The credit reporting agencies have three business days after receiving your request to place a security freeze on your credit report. The credit bureaus must also send written confirmation to you within five business days and provide you with a unique personal identification number (PIN) or password, or both that can be used by you to authorize the removal or lifting of the security freeze.

    To lift the freeze to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include (1) proper identification (name, address, and Social Security number), (2) the PIN number or password provided to you when you placed the security freeze; and (3) the identities of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three business days after receiving your request to lift the security freeze for those identified entities or for the specified period of time.

    To remove the security freeze all together, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have three business days after receiving your request to remove the security freeze.

    Suggestions if You Are a Victim of Identity Theft

    • File a police report. Get a copy of the report to submit to your creditors and others that may require proof of a crime.
    • Contact the U.S. Federal Trade Commission (FTC). The FTC provides useful information to identity theft victims and maintains a database of identity theft cases for use by law enforcement agencies. File a report with the FTC by calling the FTC’s Identity Theft Hotline: 1-877-IDTHEFT (438-4338); online at http://www.ftc.gov/idtheft; or by mail at Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Ave., N.W., Washington, D.C. 20580. Also request a copy of the publication, “Take Charge: Fighting Back Against Identity Theft” from http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.pdf.
    • Keep a record of your contacts. Start a file with copies of your credit reports, the police reports, any correspondence, and copies of disputed bills. It is also helpful to keep a log of your conversations with creditors, law enforcement officials, and other relevant parties.
    Take Steps to Avoid Identity Theft

    Further information can be obtained from the FTC about steps to take to avoid identity theft through the following paths: http://www.ftc.gov/idtheft; calling 1-877-IDTHEFT (438-4338); or write to Consumer Response Center, Federal Trade Commission, 600 Pennsylvania Ave., N.W., Washington, D.C. 20580.
    Maryland residents can learn more about preventing identity theft from the Maryland Office of the Attorney General, by visiting their web site at http://www.oag.state.md.us/idtheft/index.htm, calling the Identity Theft Unit at 410.567.6491, or requesting more information at the Identity Theft Unit, 200 St. Paul Place, 16th Floor, Baltimore, MD 21202.

    North Carolina residents can learn more about preventing identity theft from the North Carolina Office of the Attorney General, by visiting their web site at http://www.ncdoj.gov/Help-for-Victims/ID-Theft-Victims.aspx, calling 919.716.6400 or requesting more information from the North Carolina Attorney General’s Office, 9001 Mail Service Center Raleigh, NC 27699-9001.

    Vermont residents may learn helpful information about fighting identity theft, placing a security freeze, and obtaining a free copy of your credit report on the Vermont Attorney General’s website at http://www.atg.state.vt.us

    Massachusetts residents are reminded that you have the right to obtain a police report and request a security freeze as described above. The consumer reporting agencies may charge you a fee of up to $10 to place a security freeze on your account, and may require that you provide certain personal information (such as your name, Social Security Number, date of birth and address) and proper identification (such as a copy of a government-issued ID card and a bill or statement) prior to honoring your request. There is no charge, however, to place, lift or remove a security freeze if you have been a victim of identity theft and you provide the consumer reporting agencies with a valid police report.

    1. Jonathan E. Jaffe

      AllClear ID Identity Theft Protection

      At least that isn’t owned by EXPERIAN who just exposed 15 million T-mobile customers and applicants!

  9. jim

    It’s amazing.tracks and trails. Length of breach. I am wondering. Could this be part of one gang, who were following a trail? Scott trade, needed unique identifiers. Credit agencies needed unique identifiers, hucks, you need a unique identifier. And every person in the world needs a unique identifier. So every country comes up with a number of its citizens, that is supposed to be unique. And it is tied to you as a not a proof number. But is used by business as a unique identifier tied to you. So , why? Is it kept in the open? Unencrypted on an encrypted system? Or stored on open file systems? Or even referenced?
    I love it, knowing how insecure retail has to be to move products, that financial instruments are even less secure. So this ties in pretty close to the first articles of router and computer backdoors, with a little developmental time? Say ten to twelve? And someone found it? After all to move packets around un-noticed? You need access, and government mandated access was guaranteed by backdoors.

  10. Bill

    The most alarming thing about this breach is the fact that Scottrade was not even aware until the authorities told them about it. I wonder how many companies have legitimate security teams who take legitimate security measures with their data. It has become pretty obvious that many companies simply do not take security seriously.

    I recall a few weeks ago when the stock market systems experienced a “glitch” or two. It made me wonder if hackers were testing out methods to tweak stocks in their favor or even worse ruin the systems.

    1. CarolineST

      Bill – I very much agree with you, the fact it went unnoticed is especially concerning. If it was some small online retailer, you could maybe understand but Scottrade?

    2. IA Eng

      HA ! That’s why I will invest in real things, things that I can hold and own vice a bunch of digital numbers that can easily be taken over by some other entity.

      For me, I find other ways to solidify my retirement/ investments. These companies want people to experience the ease in which to make accounts and do actions with the mother load of your information. It just makes it easier for others to crack the way to that potential easy street. Software can- and will – be broken by other software. Pick your poison. For instance, a safe full of precious metals, or a handful of invisible One’s and Zero’s.

  11. WhollyScott

    I’ve been a Scottrade customer since they first went online in the mid 90’s. But I have yet to receive any communication from them about the breach. They must be still pulling their pants back up.

  12. Joel Adams

    Brian,

    A bit off topic here. I have noticed that one of your advertisers is Berkeley Varitronics Systems. The ad is for their Watchhound product, a sniffer that logs “prohibited” cell phone activity.

    This item looks to be at odds with the goal of your website/blog. The device logs information about your activities, should you be in the vicinity, without your knowledge.

    Other product line sold by BV Systems is called the Wolfhound. It is advertised as a device to be used to track and locate phones. They advertise the Pro version as having GPS to help track/find a phone.

    The products of this company, gaining information of others activities without their knowledge, would seem to run counter to your website’s goal. You might want to check them out and see if this company’s advertising dollars are worth the cheapening of your site.

    With all due respect,

    Joel Adams

  13. George G

    I got the email from Scottrade on this topic this afternoon, 5 days after Brian’s report.

  14. Craig M

    Just received my notice today.

    Even if the SSN#’s weren’t the target, I’m wondering why the attackers would use the SSN#’s as a secondary profit stream?

  15. CyberGuyPR

    The notices are trickling in super slow. I received mine a minute ago.

  16. JohnO

    I’ve had a Scottrade A/C for years, and just got mt notice today: Thursday, Oct. 8th. My wife, who just rolled her IRA A/C over to Scottrade this year, received her notice several days ago!

  17. Ben

    *sigh* Passwords should be hashed (and therefore not recoverable), not encrypted. It’s possible that the letter ix oversimplifying things and that Scottrade was handling login passwords properly, but this only further undermines my trust in the company’s security practices (or lack thereof).

  18. Red

    Just got my email notification on this breach. I know the email says that passwords appeared to be uncompromised, but could someone tell me whether it might be a good idea to change mine anyway, just to err on the side of caution? Thanks in advance.

  19. 8108575

    We’ve had our “big 3” credit reports frozen since 2008, including with Innovis. Sure, it’s a little tedious to lift the freezes for a short time when necessary but it’s been well worth the effort IMHO. Since then we’ve been personally affected by breaches at Target, Home Depot, Chase, Primera/BCBS and now Scottrade. Sadly, I see no end in sight and it’s just a matter of time before we’re told who’s the latest to be hacked (or has already been hacked and we haven’t been told yet).

    The one thing that serioulsy P’s me off is that we’re continually advised to avoid behaviors that would give hackers a foothold on our data. In all of the above cited instances, we did nothing wrong except to maybe give those companies our business. It was their data security policies and procedures that lead to the massive exposures. One person can’t solve this problem so I’ll end my rant here. Thank you for reading my comment.

  20. scott trade

    Scottrade is so amateurish and fraudulent that it refuses to tell us–the affected customers–if their SSNs were ACTUALLY exposed. They use intentionally fuzzy language to make sure that this key point isn’t clear. And, they pass everything off as “We have been informed that…” or “The authorities have told us that…”. Calls to the corporate office are useless.

    It is clear that they have no corporate IT security.

Comments are closed.