Network News

X My Profile
View More Activity

Brokerage Hack Endangers Investors

St. Louis-based Scottrade, one of the nation's largest private online stock brokerage houses, has alerted its customers that a hacker break-in may have compromised the security of an untold number of accounts.

The company did not disclose how many of its 1.3 million customers may have been affected, but noted that the breach likely only affects those customers who used its eCheck Secure service to transfer money from their bank account to their Scottrade investment accounts. 

The company put the blame on its eCheck Secure service provider -- Troy Group Inc. -- which reported that on Oct. 25 a computer hacker had compromised its servers: "As a result, some of your personal information, including your name, driver's license or state ID number, date of birth, phone number, bank name, bank code, bank number, bank routing number, bank account number and Scottrade account number may have been compromised," Scottrade said in a statement on its site.

That's quite a bit of sensitive information. Scottrade is the fifth or sixth largest private online trading company, depending on whom you ask.

Troy Group's official statement about this break-in said the company had filed a report with the FBI and is investigating the incident.

Scottrade says customers who use their Social Security number as their driver's license or state ID card number should seriously consider placing a fraud alert on their credit file.

By Brian Krebs  |  November 26, 2005; 7:05 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Symantec to Ditch Sygate Firewall
Next: The Truth About Anti-Virus Products

Comments

This is not the first major hack into Scottrade. Back in January I tried to report two VERY serious issues to Scottrade and they basically refused to fess up to the security problems.

They did not fix the issues until after I informed them that I was going public about them.

The two issues as reported are archived here:

"Scottrader Application Exploit"
http://seclists.org/lists/bugtraq/2005/Feb/0252.html

"Scottrade Trade History Exploit"
http://seclists.org/lists/bugtraq/2005/Feb/0254.html


I only reported two vulnerabilities to Scottrade. I knew about a few others, but because Scottrade refused dialog with me and failed to act responsibly I decided not to disclose the issues to them.

To sum it all up, this is _not_ the first time such a major compromise has happend with
the company and after investigating their security a bit, I can also
tell you this will not be the last.

Good luck!

Posted by: Ben | November 27, 2005 2:54 AM | Report abuse

What Scottrade did not state in it's press release is that it took them exactly 1 month, that's right almost 30 days to notify me that my bank account and bank routing number may have been compromised.Scottrade was notified on Oct.25,2005 that account info was hacked, I received my letter on Nov.24,2005. Needless to say I have cancelled my Scottrade account and advise others to do the same.

Posted by: Dan | November 28, 2005 9:56 AM | Report abuse

What Scottrade did not state in it's press release is that it took them exactly 1 month, that's right almost 30 days to notify me that my bank account and bank routing number may have been compromised.Scottrade was notified on Oct.25,2005 that account info was hacked, I received my letter on Nov.24,2005. Needless to say I have cancelled my Scottrade account and advise others to do the same.

Posted by: Dan | November 28, 2005 9:57 AM | Report abuse

I got the letter on Saturday November 26th and am FURIOUS at this stupid trading firm. Never, ever, ever again would I entrust a penny to these idiotic jerks.

Posted by: Tony | November 28, 2005 2:29 PM | Report abuse

I think all of the above should contact their local broker. Have any of you ever written a check to Wal-Mart and the cashier asked for a drivers license number and phone number? Hmmm... I believe that is the same info that was transmitted to eCheck Secure. Scottrade was a victim in its own sense due to the nature of the compromise considering it was ECHECK that was compromised. Shouldnt your blog be titled, "Say NO to echeck secure, rather than canceling an account with Scottrade!!!"

Posted by: jim | November 29, 2005 12:31 AM | Report abuse

The real question is whether or not the compromise will make a difference to Scottrade's business!

To what extent will people's confidence be shaken remains to be seen...

See...
http://www.ftusecurity.com/pub/FiTechSummit_final_paper.pdf

Posted by: Ken | November 29, 2005 9:30 AM | Report abuse

The real question is whether or not the compromise will make a difference to Scottrade's business!

To what extent will people's confidence be shaken remains to be seen...

See...
http://www.ftusecurity.com/pub/FiTechSummit_final_paper.pdf

Posted by: Ken | November 29, 2005 9:30 AM | Report abuse

What is interesting to me is that the stock price of Troy did nothing on the day of the press release. It even went up a few days later. Even more interestingly, and this is just an observation - there was a huge volume of Troy's stock moved 4 days before the public announcement of the security breach. Hmmmmm....

Posted by: Jim A. | November 29, 2005 4:10 PM | Report abuse

Scottrade was not hacked troy group was, it is not known if any info was taken, or that scottrades files were accessed. What I want to know is why Ameritrade has not told its echeck customers about the possible breach, they use the exact same vendor TROY GROUP! same servers!

Posted by: Robert | November 30, 2005 7:46 PM | Report abuse

Ameritrade Was Hacked, Close your Account Now! That is what the title should read, considering they use the same echeck vendor as scottrade, and has way more echeck accounts. Why isn't this reported anywhere? answer= Ameritrade is kepping it a secret.

Posted by: Martin P | November 30, 2005 7:50 PM | Report abuse

hello??
anyone there
when you write a check
your checking # and routing # are at risk

your real fury should be on the other firms that use eCheck and why they haven't told anyone

ameritrade & american express

scottrade's mistake was telling crazy fools like you about this !

Posted by: james | December 2, 2005 8:16 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company