Brokerage Hack Endangers Investors
St. Louis-based Scottrade, one of the nation's largest private online stock brokerage houses, has alerted its customers that a hacker break-in may have compromised the security of an untold number of accounts.
The company did not disclose how many of its 1.3 million customers may have been affected, but noted that the breach likely only affects those customers who used its eCheck Secure service to transfer money from their bank account to their Scottrade investment accounts.
The company put the blame on its eCheck Secure service provider -- Troy Group Inc. -- which reported that on Oct. 25 a computer hacker had compromised its servers: "As a result, some of your personal information, including your name, driver's license or state ID number, date of birth, phone number, bank name, bank code, bank number, bank routing number, bank account number and Scottrade account number may have been compromised," Scottrade said in a statement on its site.
That's quite a bit of sensitive information. Scottrade is the fifth or sixth largest private online trading company, depending on whom you ask.
Troy Group's official statement about this break-in said the company had filed a report with the FBI and is investigating the incident.
Scottrade says customers who use their Social Security number as their driver's license or state ID card number should seriously consider placing a fraud alert on their credit file.
By
Brian Krebs
|
November 26, 2005; 7:05 PM ET
Categories:
Latest Warnings
Save & Share:
Previous: Symantec to Ditch Sygate Firewall
Next: The Truth About Anti-Virus Products
Posted by: Ben | November 27, 2005 2:54 AM | Report abuse
What Scottrade did not state in it's press release is that it took them exactly 1 month, that's right almost 30 days to notify me that my bank account and bank routing number may have been compromised.Scottrade was notified on Oct.25,2005 that account info was hacked, I received my letter on Nov.24,2005. Needless to say I have cancelled my Scottrade account and advise others to do the same.
Posted by: Dan | November 28, 2005 9:56 AM | Report abuse
What Scottrade did not state in it's press release is that it took them exactly 1 month, that's right almost 30 days to notify me that my bank account and bank routing number may have been compromised.Scottrade was notified on Oct.25,2005 that account info was hacked, I received my letter on Nov.24,2005. Needless to say I have cancelled my Scottrade account and advise others to do the same.
Posted by: Dan | November 28, 2005 9:57 AM | Report abuse
I got the letter on Saturday November 26th and am FURIOUS at this stupid trading firm. Never, ever, ever again would I entrust a penny to these idiotic jerks.
Posted by: Tony | November 28, 2005 2:29 PM | Report abuse
I think all of the above should contact their local broker. Have any of you ever written a check to Wal-Mart and the cashier asked for a drivers license number and phone number? Hmmm... I believe that is the same info that was transmitted to eCheck Secure. Scottrade was a victim in its own sense due to the nature of the compromise considering it was ECHECK that was compromised. Shouldnt your blog be titled, "Say NO to echeck secure, rather than canceling an account with Scottrade!!!"
Posted by: jim | November 29, 2005 12:31 AM | Report abuse
The real question is whether or not the compromise will make a difference to Scottrade's business!
To what extent will people's confidence be shaken remains to be seen...
See...
http://www.ftusecurity.com/pub/FiTechSummit_final_paper.pdf
Posted by: Ken | November 29, 2005 9:30 AM | Report abuse
The real question is whether or not the compromise will make a difference to Scottrade's business!
To what extent will people's confidence be shaken remains to be seen...
See...
http://www.ftusecurity.com/pub/FiTechSummit_final_paper.pdf
Posted by: Ken | November 29, 2005 9:30 AM | Report abuse
What is interesting to me is that the stock price of Troy did nothing on the day of the press release. It even went up a few days later. Even more interestingly, and this is just an observation - there was a huge volume of Troy's stock moved 4 days before the public announcement of the security breach. Hmmmmm....
Posted by: Jim A. | November 29, 2005 4:10 PM | Report abuse
Scottrade was not hacked troy group was, it is not known if any info was taken, or that scottrades files were accessed. What I want to know is why Ameritrade has not told its echeck customers about the possible breach, they use the exact same vendor TROY GROUP! same servers!
Posted by: Robert | November 30, 2005 7:46 PM | Report abuse
Ameritrade Was Hacked, Close your Account Now! That is what the title should read, considering they use the same echeck vendor as scottrade, and has way more echeck accounts. Why isn't this reported anywhere? answer= Ameritrade is kepping it a secret.
Posted by: Martin P | November 30, 2005 7:50 PM | Report abuse
hello??
anyone there
when you write a check
your checking # and routing # are at risk
your real fury should be on the other firms that use eCheck and why they haven't told anyone
ameritrade & american express
scottrade's mistake was telling crazy fools like you about this !
Posted by: james | December 2, 2005 8:16 PM | Report abuse
The comments to this entry are closed.
This is not the first major hack into Scottrade. Back in January I tried to report two VERY serious issues to Scottrade and they basically refused to fess up to the security problems.
They did not fix the issues until after I informed them that I was going public about them.
The two issues as reported are archived here:
"Scottrader Application Exploit"
http://seclists.org/lists/bugtraq/2005/Feb/0252.html
"Scottrade Trade History Exploit"
http://seclists.org/lists/bugtraq/2005/Feb/0254.html
I only reported two vulnerabilities to Scottrade. I knew about a few others, but because Scottrade refused dialog with me and failed to act responsibly I decided not to disclose the issues to them.
To sum it all up, this is _not_ the first time such a major compromise has happend with
the company and after investigating their security a bit, I can also
tell you this will not be the last.
Good luck!