Scottrade Victim to Data Breach
Per Wired, (2015) “FOLLOWING NEWS THIS week that hackers stole data on 15 million T-Mobile customers comes a new report that 4.6 million customers of the St. Louis-based brokerage firm Scottrade may have also been hit in a different breach.”
“They focused primarily on snagging contact information, but the targeted system also included information as sensitive as Social Security numbers” according to Endgadget (2015). “Neither Scottrade’s trading platforms nor client funds were compromised and client passwords were fully encrypted at all times” added USA Today (2015).
Per Fox59 (2015) “the firm acknowledged that unknown criminals had broken into its computer network. The company said it didn’t know about the theft until it was alerted by the FBI in August.” This is NOT something that I would admit. Seeing as the attack occurred nearly 2 years ago, this shows customers, investors, and other attackers that you do not adequately monitor your information systems. This is not the right message to send.
Scottrade is quick to stress that neither passwords nor trading platforms were at risk, and it’s offering a free year’s worth of identity protection services if you’re still worried about fraud two years after the incident took place (Endgadget, 2015)
The issue that comes with this (aside from failing to discover it) is that Scottrade didn’t inform customers (since Scottrade was also unaware), so they had no suspicion of possible phishing or identity theft attempts, thus possibly applying a falsely high sense of trust. For a company to be operating almost exclusively in the finance and stock market industries, security must be taken more seriously. I do not know about the security infrastructure at Scottrade, but I can offer these initial suggestions:
- Require the use of “strong passwords”
- Change them every 60-90 days
- Require Complex passwords or phrases
- Avoid dictionary terms
- Require special characters and numbers
- Set a failed attempt threshold
- Sanitize inputs from forms, API calls, and databases
- Consider multi-factor authentication
- Establish an awareness training program
- Ensure your vulnerability management program is working
This is not an all-inclusive list. This is a starting point. I am sure they’re subject to PCI; they should consider adding the SANS Top 20 (listen to our podcasts about it here) or NIST Risk Management Framework. Management from the CEO to the janitor need to adopt a culture of security, nurse it, nourish it, and inspire everyone to be secure.
Image credit: Chris Yunker, Flickr
Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.
Be sure to subscribe to this blog and to our Podcast.