Scottrade Data Breach Lost 4.6 Million Customers’ Data To Hackers

The names and addresses of 4.6 million clients of Scottrade were obtained in a massive data breach that took place some time in 2013 or 2014, but we’re only finding out about it now.

Scottrade disclosed the data breach in a statement released on the brokerage’s website on Friday, October 2, 2015. According the the statement, the retail brokerage firm was unaware that the breach had taken place until contacted by the FBI.

“Federal law enforcement officials recently informed us that they’ve been investigating cybersecurity crimes involving the theft of information from Scottrade and other financial services companies. Based on our investigation and information provided by federal authorities, we believe the illegal activity involving our network occurred between late 2013 and early 2014, and targeted client names and street addresses.”

According to the announcement, hackers gained access to a database that included basic customer information, like names and addresses. The database also contained information of a more sensitive nature, including email addresses and social security numbers, but Scottrade does not believe that hackers gained access to that data.

Scottrade also claims that client password data was and is encrypted, so the hackers were not able to access any client accounts as a direct result of the data breach. Those affected by the breach should be wary of phishing and other social engineering attacks, and can change their passwords if they want, but no fraudulent account activity associated with the data breach has been detected.

“Although Social Security numbers, email addresses or other sensitive data were contained in the system accessed, it appears that contact information was the focus of the incident. We have not seen any indication of increased fraudulent activity as a result of this incident.”

Scottrade also encourages users to change their passwords regularly, even though the hackers didn’t obtain that information.

Trey Ford, a security strategist with Rapid7, told USA Today that while encryption makes it difficult to obtain hacked password data, it doesn’t make it impossible.

CNN reports that the the FBI investigation was still ongoing when Scottrade was informed of the data breach in August 2015, and that the feds asked the brokerage firm to stay quiet. That decision resulted in potential victims remaining unaware of the breach for another month or more, but the breach itself occurred years before Scottrade found out about it.

Current and former Scottrade clients who had accounts prior to February 2014 are able to obtain one year of free identity theft protection. More information about the free identity theft protection, which is offered through AllClear ID, can be obtained via Scottrade’s website.

Word of the Scottrade data breach arrived just one day after Experian went public with information about its own hacked servers. In the Experian attack, 15 million T-Mobile customers and credit applicants had their data stolen.

T-Mobile’s CEO took to Twitter immediately after news of the Experian data breach broke, personally engaging with affected customers. So far, Scottrade seems to have taken a more hands off approach to social media.

Most user complaints have been met with boilerplate answers.

October is National Cyber Security Awareness Month, and massive data breaches like the Scottrade and Experian hacks are one way to raise awareness.

Kiplinger once named Scottrade as one of the best online brokerages.

Have you been affected by the Scottrade data breach or another of the other high-profile hacks?

[Photo courtesy Dwight Burdette / CC BY 3.0]