Shostack + Friends Blog Archive


More info, thoughts on Troy Group breach

In an interesting article, The St. Louis Post Dispatch reports new information about the recent breach of the “eCheck Secure” system run by Troy Group.
According to the article, the number of potential Scottrade victims is 140,000. Troy Group published a news release revealing they got hacked, and notified their financial sector customers, including Scottrade, the same day. Scottrade isn’t using Troy Group’s service any more, and probably won’t use it in the future.
Given that “the hack” was a matter of public record on October 25, and Scottrade knew about it, why did it take them a month to let their customers know what happened?
Given that Troy Group has other financial sector customers, has any of them sent notices to their customers? Which have, and which haven’t? Why? This issue was raised in a comment by Roy to an earlier blog entry.
Why isn’t Troy Group talking? Maybe it’s because the mainstream press hasn’t latched onto this one yet. I suspect that may change.
Am I the only one who sees potential parallels to CardSystems here? Troy Group’s market cap is $26,000,000.
Finally, a confession. Remember the Simpsons episode where the Comic Book Guy is totally into everything having to do with the Radioactive Man movie? Well, if security breaches are Radioactive Man, I am the Comic Book Guy, and I can’t believe I missed the Troy Group press release. This is exactly why mandatory reporting to governmental agencies (as New York’s law requires) is a good idea.

One comment on "More info, thoughts on Troy Group breach"

  • Chris,
    You wrote:
    “. . . Am I the only one who sees potential parallels to CardSystems here? . . .”
    No and I agree with your sentiments. But in the absense of a mandatory reporting agency and a lack of interest by the mainstream press, this story of a US$26MM company is unfortunately “contained” at the moment.
    And while you don’t “find them all”, I, and I’m certain that I’m not alone in this, appreciate your diligence.

Comments are closed.