Scottrade Bank data breach exposes 20,000 customer records

60GB MSSQL database contained customer records and other sensitive data

volitale up down market stocks mixed
Credit: Thinkstock

Scottrade Bank, a subsidiary of Scottrade Financial Services, Inc., recently secured a MSSQL database containing sensitive information on at least 20,000 customers that was inadvertently left exposed to the public.

The database was discovered by MacKeeper researcher Chris Vickery on March 31, when he was searching for random phrases on the domain s3.amazonaws.com.

Once the database was discovered, Vickery says he contacted the company and was eventually connected to a staffer on the Scottrade Bank security team who helped secure the data. Two days later, Vickery said, he confirmed that the problem was resolved.

Scottrade Bank Table example Chris Vickery

The exposed database had no encryption and included 48,000 lessee credit profile rows and 11,000 guarantor rows, Vickery explained. Each row contained information such as Social Security Numbers, names, addresses, phone numbers, and other information that one would expect a bank to possess.

In addition, Vickery says the database also contained internal information, such as plain text passwords and employee credentials used for API access to third-party credit report websites.

Scottrade Bank DB example Chris Vickery

In a statement, Scottrade spokesperson Shea Leordeanu said the database was secured in six hours, and an investigation into the incident is ongoing.

"We are a customer focused company, and will always act in their best interests," said Leordeanu.

A written statement from Scottrade directed most of the questions Salted Hash asked to a third-party vendor used by the company called Genpact.

However, the company stressed this was a case of human error and that Scottrade Bank's own systems remain secure and were not involved. As for the API credentials, Scottrade said they were for a legacy, decommissioned system.

"On April 2, Genpact, a third-party vendor, confirmed that it had uploaded a data set to one of its cloud servers that did not have all security protocols in place. As a result, the data was not fully secured for a period of time. The file contained commercial loan application information of a small B2B unit within Scottrade Bank, including non-public information of as many as 20,000 individuals and businesses. Upon being alerted to the issue, Genpact immediately secured that information, and traced the issue to a configuration error on their part while uploading the file," the Scottrade statement explained.

Scottrade added that Genpact, a professional services firm headquartered in New York, works exclusively with the B2B banking unit and had no access to any other information.

"This appears to be a case of isolated human error by the vendor in handling the data set. It is important to note that we hold all of our third-party vendors to rigorous information security standards. The vendor has acknowledged responsibility for this incident," Scottrade said.

In their own statement, Genpact confirmed Scottrade's remarks.

"Genpact takes data protection very seriously and is undertaking an extensive analysis of the log files and the environment to determine to what extent the data may have been accessed. It has engaged a leading forensics firm to assist in the analysis. Genpact believes this to be an isolated incident that is unrelated to its broader operations and there are no indicators of any compromise of Genpact’s systems, network, or work for any other clients."

Genpact said it will work with Scottrade to notify affected individuals, but didn't offer exact details of the process or a timeline.

In 2015, Scottrade Inc. – another wholly owned subsidiary of Scottrade Financial Services, Inc. – alerted 4.6 million customers about a data breach impacting their personal information. Scottrade Inc. learned about the data breach after being contacted by the FBI.

While the records exposed by the incident included Social Security Numbers and other sensitive data, the company said it believes contact information was the primary goal of those responsible for compromising the database where the data was stored.

Last October, it was announced that Scottrade Inc. would be acquired by TD Ameritrade and Scottrade Bank had reached a similar agreement with TD Bank Group. They are working though this transition, which is expected to close in FY '17.

Vent your frustrations over on our Facebook page.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
How much is a data breach going to cost you?