Shostack + Friends Blog Archive

 

Scottrade, Millions of "E-secure" system users, SSNs, account numbers, etc, "hacker"

Info is spotty on this, but according to a WFMY TV News report,

Millions of names, addresses, social security numbers, and bank account numbers could be in dangerous hands.
Officials with Scottrade, an investment company with an office in Greensboro say a security breach compromised the information of some of its account holders.
A letter to customers says a hacker broke into the E-secure system which transfers money from customer’s bank accounts to their investment accounts.
The letter says the breach happened October 25th.
One local Scottrade customer, who wishes to remain anonymous, says he got the later on November 25th.
“Who knows when the information will drop off from whoever hacked into the system,” the man says. “Who knows if information is up on a chat room right now being sold to the highest bidder.”

But never fear. “Scottrade officials say despite access to the information, they aren’t certain the hacker actually took the information.”
[Adam adds: Brian Krebs has more details in “Brokerage Firm Hack Endangers Investors“]

6 comments on "Scottrade, Millions of "E-secure" system users, SSNs, account numbers, etc, "hacker""

  • Saar Drimer says:

    yeah… the ususal ritual… blame it on the “hacker.”
    It’s nice to have a scapegoat for the unsuspecting public. This is getting irritating.

  • DTFN says:

    It is amazing how little coverage this major security breach is getting in the popular media AND on the Internet. Advertising dollars can work wonders, can’t they? And for the record, my letter arrived on Nov 26th.

  • Letters did arrive later, but I bet that was because they were trying to get info from the vendor whose servers caused the breach. Only customers who used e-check were possibly at risk. The only way your ss # may have been at risk is if your state uses your ss # as your drivers license number. Check out this link for those that have more questions. There is info about the credit bureaus, what needs to be done, etc. Credit reports will be sent at no charge.
    http://www.scottrade.com/security

  • Chris Walsh says:

    @Happy:
    I see that Scottrade has asserted that SSNs were revealed for those who have them as DL or state ID numbers. They base this, near as I can tell, strictly on assertions made by Troy Group.
    Accordingly, I went to the demo site for eCheckSecure that Troy Group runs. The interface is clunky, but if you go to http://demo.echecksecure.net/merchant/imi.dll/buyform1 which is one of the screens you get to after putting an item in your cart and starting to pay, you will see it asks for your Social Security Number. It does not ask for your DL or state ID number. So, in order to really know what is at risk, we need to kn ow what information Scottrade customers needed to enter.

  • Roy says:

    Ameritrade (a much larger firm) also uses Troy Group’s echeck, but Ameritrade has yet to tell it’s investors about the breach. At least scottrade informs its customers.

  • james says:

    SSNs only in the database if your state uses your SSN# as your DL#…..
    echeck never required anyone give their SSN, only their DL#

Comments are closed.