Scottrade Bank Breach Highlights Third-Party Vendor Risk
When Scottrade Bank recently confirmed a data breach that exposed non-public information from 20,000 retail and business customers, it did something unusual.
Instead of offering no explanation or a vague description of what happened, waiting for a full investigation to reveal the details, the St. Louis bank immediately pointed the finger at one of its salespeople.
“On April 2, Genpact, a third-party vendor, confirmed that it had uploaded a dataset to one of its cloud servers that did not have all security protocols in place,” the bank said in a statement. a statement at the end of last week. “As a result, the data was not fully secure for some time.”
The SQL file contained information on commercial loan applications for a business-to-business unit of Scottrade Bank. The bank said Genpact immediately secured the information and attributed the problem to a configuration error on the part of the vendor when uploading the file.
Genpact declined a request for an interview, but made this statement: “Genpact takes data protection very seriously. As soon as we became aware of this case, we immediately secured the data file. We are conducting an analysis to determine the extent to which the data may have been accessed and have also engaged with a leading forensic firm to assist us in this regard. We believe this is an isolated incident and there is no indication that other customers or operations were affected.
The database exposure was discovered by MacKeeper researcher Chris Vickery on March 31, while searching for random phrases on the s3.amazonaws.com domain.
“This is as bad as I expected,” he tweeted. “Linked to the bank. Clear passwords. Big name company. I contacted them. The next day, he tweeted: “The discovery linked to the bank is now verified as safe. Agreed not to name any entity for 3 days. Allow for newspaper investigation and PR preparation time.”
Large fully loaded MSSQL database. It’s as bad as I expected. Bank related. Clear passwords. Big name company. I contacted them.
— Chris Vickery (@VickerySec) April 1, 2017
The bank said none of the bank’s systems were affected by the breach.
This is not the first time that a supplier has accidentally compromised banking data. The most notorious third-party data breach of recent years is Target. The hackers first penetrated one of the retailers’ heating and air conditioning suppliers, then, via a billing system, broke into Target’s servers to steal the data of 40 million credit and debit cards and the personally identifiable information of 70 million shoppers. Target has been sued more than 140 times by banks, consumers and shareholders since the 2013 breach.
Overall, not only is third-party verification and monitoring an increasingly important priority for banks, but so is the encryption of all sensitive information at all times. New York State regulators have emphasized this in their new cybersecurity rules.
“Inadvertently exposed databases containing sensitive information are not a new problem,” said Tim Erlin, senior vice president of information security and risk strategist for cybersecurity firm Tripwire. “Any organization that collects and stores sensitive data needs to be able to know where that data is and how that data is exposed.” Data access methods must also be secure, he added.
Scottrade agreed to be sold to TD Ameritrade. It’s unclear whether the breach will affect the $4 billion deal, which is due to close in the next quarter.