Shostack + Friends Blog Archive


RBC Dain Rauscher, 300,000 SSNs, Disgruntled former employee


The FBI has opened an investigation into the possible theft of personal information about some clients of RBC Dain Rauscher Inc.

The chief executive of the Minneapolis-based brokerage firm disclosed the problem in a letter sent to 300,000 households. Dain Rauscher has not yet detected any fraudulent activity in their accounts, according to the letter from Dain head John Taft.

“While we have no information to believe that your personal information has been compromised in any way, we are treating this as a serious situation,” Taft wrote.
FBI agent Paul McCabe said the agency does not know how many accounts might be affected.

(Yeah, I don’t have “no information to believe” neither. But I do have reason to believe that information about these people have been compromised.)

Dan Callahan, a Dain Rauscher spokesman, said some clients have received anonymous letters sent last week by someone claiming to be a former Dain employee. The letter, received by a seemingly random group of more than 100 account holders, contained each recipient’s name, address, tax identification number, birthdate and Dain Rauscher account number.

You mean social security number, don’t you?

The Star Tribune obtained a copy of the profanity-laced letter, whose author said he was seeking revenge on Dain Rauscher because the company fired him.

The writer claims to have been able to copy information from “thousands” of accounts because Dain Rauscher did not remove his password from a mainframe computer. He claims to have sold the information to an unidentified buyer.

and finally, the company takes a cunning move from the Choicepoint playbook, putting their own victimhood ahead of that of their customers:

“We are a victim, just like our clients,” Callahan said. “We take their protection very seriously.”

Hint to Dain Rauscher: I referenced Larry Ponemon’s “After a privacy breach, how should you break the news?” months ago. It has some useful advice.

Quotes are from “FBI checking theft of Dain clients’ data,” via InfoSecurity News.