Security → Scottrade Hacked

Got an email that Scottrade has now been hacked. Click here.

It was all over the headlines for about 3 hours yesterday afternoon. It is now sanitized from all news outlets. Even Yahoo finance has dropped the story, with their current headline being "How Domino's plans to sell pizza to Italians"

You are right, it does seem to have been buried a little.

By searching specific sites (such as searching CNN for example) you can find it.

»money.cnn.com/2015/10/02 ··· dex.html
»www.nytimes.com/aponline ··· tml?_r=0

It was out just after the Experian/TMobile theft was announced. I read it since I wondered if the two were related.

Interesting to note that the news actually hit the wires 4 days ago on the 2nd:

»www.marketwatch.com/stor ··· 15-10-02

Seems strange that it had a resurgence yesterday and then got buried almost as quickly as it surged...

Perhaps the lower-key media coverage has to do with a perception that the data supposedly stolen wasn't the usual ID-theft-type things, but instead "contact information" was the target. Of course, the impact of the hack really revolves around both what info is contained in "contact info" and how accurate is Scottrade's assessment regarding the extent of the hack. As usual, the devil will be in the details. From the announcement referenced in the OP:

I had posted about this in another thread, having missed this one. The snip quoted above, that SS#s were exposed and yet that doesn't matter since they were after addresses (what???) is to be one of the two most disturbing bits of info in their email to clients. The most disturbing is the fact that this took place two years ago, and they are just notifying clients with the disingenuous excuse "Federal authorities had requested that they be allowed to complete much of their investigation before we notified clients."

I wasn't notified by them until this afternoon, by email, days after this was revealed to the public. Lousy job, Scottrade.

I think that ScottTrade's contention is that, while the SSNs and such were on the accessed system, they have reason to believe it wasn't targeted. How they determined that and how air-tight such a rationale might be are yet to be demonstrated. I think the media is taking the statement to mean the personal data area wasn't accessed, so no big deal. This isn't the first such leak to be delayed in the announcing... there was another one about a couple of years ago (in Georgia, as I recall) that had Fed-requested delays in the public announcement. Not that any of this is good, just that it has precedent.

Blackbird, first of all, if the system was accessed and all the info compromised, the SSNs were exposed. Reading the minds of the hackers and asserting that they somehow know they were only after "contact info" and not the equally accessible SSNs is ridiculous. Secondly, it's not uncommon for there to be a SLIGHT delay in revealing an exposure while and investigation begins, but when people are at risk like this and don't know it, that delay should NOT be two years! And choosing some little known credit organization to give one year of free advice if you are hacked (and the ability to register for monitoring that will require you to give further personal info to the agency, according to the email) is not really adequate. At least Experian gave everyone the monitoring, and for two years. Especially since the breach was long ago enough that many clients would have been compromised already, with nowhere to turn.

My buddy Steve Ragan over @csoonline.com wrote:

quote:

---

On Friday, in a letter to customers, the CEO of Dow Jones & Co. disclosed a data breach affecting 3,500 people. Based on public details, the incident seems similar to a breach reported by Scottrade last week that impacted 4.6 million investors.

In his letter, Dow Jones Chief Executive William Lewis said that law enforcement officials informed the company about the potential breach in late July. [...]

---

»www.csoonline.com/articl ··· ade.html

This is the most disturbing part:

"Last Friday, Scottrade Inc. alerted the public to a data breach that affected 4.6 million people. As was the case with Dow Jones, Scottrade wasn't aware of any problems prior to law enforcement notification."

How's that crack IT security team workin for ya? Thanks for lookin out for us, guys! It took THE COPS to tell ya you're being hacked. Not good for the end of the year evaluation.

A large part of the problem is that apparently the hack occurred 2 years ago, details regarding the hack itself haven't been released, and details about the hacked system (how or if part of its data was compartmented, encryption-protected, or whether/how its file access history was traceable) have not been made public. All that currently exists are ScottTrade's statement, some media reporting, and tons of speculation. I was not minimizing the nature or risks involving the actual hack, I was only noting that there may have been a legitimate rationale in ScottTrade's mind behind the kind of statement they made; and since all there is to go on at the moment for the public is that statement, the media may be reluctant to jump in too heavily (defamation lawsuits being what they are). Individuals, of course, are free to conjecture all they want.

I do understand your point. And usually, I advise caution in speculating; this just seemed such an egregious minimization on ST's part.

I also agree with the point made in the Dow Jones thread that both ST and Dow say they didn't know about the breaches until notified (WAY later) by law enforcement, which doesn't speak well for their internal safeguards and monitors! Interesting to understand how law enforcement even knows about a breach ata private company---I guess when they catch someone and find all this info in their possession?

With all the complex, broad traffic analysis going on by 'the authorities', I think that of all the things observed by them (at one level or another), only infrequently will any alerting information find its way into a process of informing unknowing victims about an intrusion. As I recall the episode a while ago in Georgia, it involved the Secret Service and major money movement, and there was serious Fed reluctance to spill anything to anybody until the authorities had 'run' back the crime network as far as it could be run - which took years. Superimposed on that kind of reality is the further reality that most of the monitoring is done at a level well above the FBI or local LE... so what is handed down to them is only a fraction of what is being observed at the topmost levels. Net result: only a fraction of a fraction of all that's monitored ever makes it down into a victim notification, and usually in anything but real time.

Still further on top of that, only a fraction of all the criminal activity that's truly going on is recognized by the highest monitoring levels. Hence... it's up to businesses to do their own continual and thorough vetting of their own systems and protection methods - and that is demonstrably not happening with any real effectiveness in all too many places. By the time a business finds out about a hack through LE channels and is released to make a public announcement about it, it's likely to be game over for everybody involved - even more so by the time the folks whose data is involved find out through the media, especially considering how long it will take for the media to get their story straight - the real damage to users is likely to have long since been done.

Totally agreed, Blackbird. While any breach of customer info is disturbing (i.e. TJMaxx), when it involves a financial institution (or a credit monitoring organization like Experian and the TMobile breach), it is a double betrayal and doubly inexcusable. They are trusted, and should be knocking themselves out to protect that trust.