Scottrade Bank data breach exposes 20,000 customer records
Scottrade Bank, a subsidiary of Scottrade Financial Services, Inc., recently secured an MSSQL database containing sensitive information about at least 20,000 customers that was inadvertently left exposed to the public.
The database was discovered by MacKeeper researcher Chris Vickery on March 31 while searching for random phrases on the s3.amazonaws.com domain.
Once the database was discovered, Vickery says he contacted the company and was eventually put in touch with a staff member from Scottrade Bank’s security team who helped secure the data. Two days later, Vickery said, he confirmed the issue was resolved.
The exposed database had no encryption and included 48,000 tenant credit profile lines and 11,000 guarantor lines, Vickery said. Each line contained information such as social security numbers, names, addresses, phone numbers, and other information that one would expect a bank to have.
Additionally, Vickery says the database also contained internal information, such as plain-text passwords and employee credentials used for API access to third-party credit reporting websites.
In a statement, Scottrade spokeswoman Shea Leordeanu said the database was secured within six hours and an investigation into the incident was underway.
“We are a customer-focused company and we will always act in their best interests,” Leordeanu said.
A written statement from Scottrade directed most of the questions Salted Hash had to a third-party provider used by the company called Genpact.
However, the company stressed that this was a case of human error and that Scottrade Bank’s own systems remained secure and were not involved. As for the API credentials, Scottrade said they are for a legacy, decommissioned system.
“On April 2, Genpact, a third-party vendor, confirmed that it had uploaded a dataset to one of its cloud servers that did not have all security protocols in place. have not been fully secured for a period. The file contained commercial loan application information from a small B2B unit within Scottrade Bank, including non-public information relating to up to 20,000 individuals and businesses. that it was alerted to the issue, Genpact immediately secured that information and traced the issue to a configuration error on their part when uploading the file,” Scottrade’s statement explains.
Scottrade added that Genpact, a New York-based professional services firm, works exclusively with the B2B banking unit and does not have access to any other information.
“This appears to be a case of isolated human error on the part of the vendor in processing the dataset. It is important to note that we hold all of our third-party vendors to rigorous information security standards. supplier has admitted responsibility for this incident,” Scottrade said.
In its own statement, Genpact confirmed Scottrade’s comments.
“Genpact takes data protection very seriously and undertakes a thorough analysis of log files and the environment to determine the extent to which data may have been accessed. It has engaged a leading forensics firm to assist in Genpact believes this is an isolated incident unrelated to its broader operations and there are no indicators of compromise to Genpact’s systems, network or work for other customers. »
Genpact said it would work with Scottrade to notify those affected, but did not provide exact details on the process or a timeline.
In 2015, Scottrade Inc. – another wholly owned subsidiary of Scottrade Financial Services, Inc. – alerted 4.6 million customers to a data breach affecting their personal information. Scottrade Inc. learned of the data breach after being contacted by the FBI.
While records exposed by the incident included Social Security numbers and other sensitive data, the company said it believes contact information was the primary focus of those responsible for the database compromise. data in which the data was stored.
Last October, it was announced that Scottrade Inc. would be acquired by TD Ameritrade and Scottrade Bank had entered into a similar agreement with TD Bank Group. They are working on this transition, which is expected to be completed in fiscal year 2017.
Express your frustrations on our Facebook page.
Copyright © 2017 IDG Communications, Inc.