Scottrade didn't know about data breach until feds showed up

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerworld.com/article/2989033/cyberattacks/scot-trade-didnt-know-about-data-breach-until-feds-showed-up.html

When an organization gets hacked, ideally they'll realize it promptly and
warn their users right away. Take crowdfunding site Patreon, which was
hacked on Monday and has already informed the world about the problem.
Scottrade, an investment brokerage company, is different, and not in a good
way.

The company announced Friday that it suffered a security breach over a
period of several months from late 2013 to early 2014, affecting
approximately 4.6 million customers. But in a statement, Scottrade said it
had no idea that the breach had occurred until law enforcement officials
told them about it.

Remember: this is a company that is charged with storing real money and
managing investments. Let that sink in for a second.

The FBI notified Scottrade of the breach in August but asked that the
company hold off on disclosing the attack until it had wrapped up another
part of its investigation. The company was cleared to disclose the breach
at the end of last week and began informing customers Friday.

To its credit, Scottrade said that it believes attackers obtained only
clients' names and street addresses -- not the social security numbers,
email addresses and other sensitive data stored in the compromised system.
According to the company, the attackers didn't compromise Scottrade's
trading platforms, and clients' funds were untouched.

People who had a Scottrade account prior to February 2014 may have been
affected by the breach. Those people who Scottrade knows were affected will
be notified of that by email. The company isn't suggesting that users
change their passwords, since it believes that they remained encrypted
during the attack.

As is expected in these sorts of cases, Scottrade is offering affected
customers a free year of identity theft protection. It's not clear how much
good that will do, since the data was taken more than a year ago, but
offering that sort of service is something consumers expect from a breach
response at this point.

Looking forward, the company said that it has secured the intrusion point
the attackers used to get into its systems, and conducted an internal
investigation with the help of an unnamed computer security firm. The
company also said that it has further secured its network.

These aren't the only data breaches revealed this week. T-Mobile and
Experian said yesterday that 15 million people may have been affected by a
mammoth breach that could include data like names, birthdates and Social
Security numbers.

Incidentally, October is National Cyber Security Awareness Month in the
U.S. And now at least 20 million people have had their awareness raised.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!