Discount brokerage firm Scottrade began firing off emails late last week, warning customers that as a result of a breach, their names and street addresses may have been stolen from its system.
Scottrade’s statement on the incident, published on its site last Thursday doesn’t exactly rule out that more sensitive information, such as users’ Social Security numbers, weren’t also stolen. In total the contact information on 4.6 million Scottrade users appears to have been accessed, the firm claims.
The St. Louis-based company confirmed that information such as customers’ Social Security numbers, email addresses, and other data, were on the same system that was accessed, but that at this time it believes contact information was the main focus of the attack.
“We have no reason to believe that Scottrade’s trading platforms or any client funds were compromised. Client passwords remained fully encrypted at all times and we have not seen any indication of fraudulent activity as a result of this incident,” the statement reads.
Further details on the attack are scant. In its statement, Scottrade claims that it didn’t find out about the breach until federal authorities contacted the company to tell them they were investigating “cybersecurity crimes” involving the theft of information from Scottrade and other financial services companies. It’s unclear exactly how attackers infiltrated the company’s system, but it appears they did so between “late 2013 and early 2014,” according to Scottrade.
The fact that there’s so little information about the hack shouldn’t come as a surprise, according to Trey Ford, global security strategist at Rapid7.
“Scottrade customers are in the dark about exactly what was taken, and don’t yet know where the data was taken from,” Ford said, “What we do know is that the data appears to have been taken 18-24 months ago. Few, if any, organizations store log data reaching that far back and it’s no wonder Scottrade cannot definitively state what data was taken for this reason.”
It’s unclear whether or not users’ passwords were in the same database as their names, addresses, and Social Security numbers, but the firm is stressing that they are encrypted, something that Ford notes isn’t always enough to protect them from hackers.
“While Scottrade is saying that, ‘all client passwords remained encrypted at all times,’ I feel compelled to remind consumers that encryption is not an iron-clad promise that the password will not be recovered – it raises the cost associated, and time required, for attackers to recover a passwords from encrypted records.” Ford said.
With that in mind – as with any breach that leaks customer information – there’s a good chance Scottrade clients could see an uptick in phishing emails and scams, especially those rigged to trick them into giving away their passwords.
“As a precaution” the firm is planning to offer all 4.6 million affected identity theft protection.
Recent incidents have shown, it’s possible the leaked information could ultimately be used as part of a stock manipulation scheme.
When authorities arrested four men in Florida and Israel over the summer in connection to another financial services hack, the breach of JPMorgan Chase, court proceedings revealed the attack may have been the beginning of a complex spam email chain campaign. As part of a “multiyear campaign” the hackers were apparently hoping to leverage millions of spam emails to trick well-connected investors into investing in otherwise menial stocks.