Scottrade Victim to Data Breach

Scottrade Victim to Data Breach

Per Wired, (2015) “FOLLOWING NEWS THIS week that hackers stole data on 15 million T-Mobile customers comes a new report that 4.6 million customers of the St. Louis-based brokerage firm Scottrade may have also been hit in a different breach.”

“They focused primarily on snagging contact information, but the targeted system also included information as sensitive as Social Security numbers” according to Endgadget (2015). “Neither Scottrade’s trading platforms nor client funds were compromised and client passwords were fully encrypted at all times”  added USA Today (2015).

Our Analysis

Per Fox59 (2015) “the firm acknowledged that unknown criminals had broken into its computer network. The company said it didn’t know about the theft until it was alerted by the FBI in August.” This is NOT something that I would admit. Seeing as the attack occurred nearly 2 years ago, this shows customers, investors, and other attackers that you do not adequately monitor your information systems. This is not the right message to send.

Scottrade is quick to stress that neither passwords nor trading platforms were at risk, and it’s offering a free year’s worth of identity protection services if you’re still worried about fraud two years after the incident took place (Endgadget, 2015)

The issue that comes with this (aside from failing to discover it) is that Scottrade didn’t inform customers (since Scottrade was also unaware), so they had no suspicion of possible phishing or identity theft attempts, thus possibly applying a falsely high sense of trust. For a company to be operating almost exclusively in the finance and stock market industries, security must be taken more seriously. I do not know about the security infrastructure at Scottrade, but I can offer these initial suggestions:

  1. Require the use of “strong passwords”
    1. Change them every 60-90 days
    2. Require Complex passwords or phrases
    3. Avoid dictionary terms
    4. Require special characters and numbers
    5. Set a failed attempt threshold
  2. Sanitize inputs from forms, API calls, and databases
  3. Consider multi-factor authentication
  4. Establish an awareness training program
  5. Ensure your vulnerability management program is working

This is not an all-inclusive list. This is a starting point. I am sure they’re subject to PCI; they should consider adding the SANS Top 20 (listen to our podcasts about it here) or NIST Risk Management Framework. Management from the CEO to the janitor need to adopt a culture of security, nurse it, nourish it, and inspire everyone to be secure.


USA Today
Our blog post about the T-Mobile/Experian breach
Our SANS Top 20 Podcast

Image credit: Chris Yunker, Flickr

Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.

Enter your email address:

Delivered by FeedBurner

Contact Us

Subscribe to our mailing list

* indicates required

About Scott Entsminger

Scott Entsminger was born and raised in Virginia. He graduated from Radford University with a Bachelor’s of Science in Criminal Justice. Scott has worked for the Department of Defense since graduating college. He is an expert in Windows Administration; with specific experience in Group Policy and vulnerability remediation. He also has specific experience in Information Assurance (IA) and Cyber Security. Scott holds the CompTIA Security+ certification. He is always looking to diversify his skillset. Scott is an avid sports fan, particularly baseball. He also is an avid gamer and enjoys learning different skills involving his PC.