Scottrade Misses Breach, Until Notified by FBI 2 Years Later

The investment firm acknowledges that hackers accessed 4.6 million people's names and addresses, but says other sensitive information was not taken during a 2-year-old hack.

Scottrade breach

Online thieves infiltrated the network of investment firm Scottrade nearly two years ago, stealing the names and addresses of 4.6 million customers, the company said on Oct. 2.

The company did not detect the breach, but found out about the intrusion after federal law enforcement officials "recently informed" the retail investment firm of the incident. While the compromised servers also contained Social Security numbers, email addresses and other sensitive data, the attackers apparently did not target that information, the company stated.

"We have secured the known intrusion point and conducted an internal data forensics investigation on this incident with assistance from a leading computer security firm," Scottrade said in its statement. "We have taken appropriate steps to further strengthen our network defense."

This is the second major breach announced in the last week. On Oct. 1, cellular service provider T-Mobile announced that sensitive information on 15 million customers had been stolen because of the lax security of its credit-checking partner, Experian. T-Mobile's CEO John Legere told customers that he is "obviously … incredibly angry" about the theft of records that included not only information such as names, addresses and birthdates but also encrypted fields with Social Security and other ID numbers and that he planned to review the company's relationship with Experian.

"Experian has determined that this encryption may have been compromised," he said in the company's statement.

The Scottrade breach happened between late 2013 and early 2014, the company said, and may have ended in February 2014. The company released few other details about the incident.

"We have no reason to believe that Scottrade's trading platforms or any client funds were compromised," Scottrade said. "Based upon our internal investigation and information provided by the federal authorities, we believe a list of client names and street addresses was taken from our system."

Other security experts questioned whether the company would even know what was taken and how.

"Few, if any, organizations store log data reaching that far back and it's no wonder Scottrade cannot definitively state what data was taken for this reason," Trey Ford, global security strategist at Rapid7, said in a statement. He added that customers should not rely on the company to secure their accounts. "We recommend that Scottrade customers perform a careful review of their account records, and change their password," he said.

The delay in notification to Scottrade and to its customers may indicate that the FBI is building a case against the group that attacked the company, according to Tim Erlin, director of IT security and risk strategy for Tripwire.

"The FBI is unlikely to explain in detail why notification of this breach took so long, but it's not uncommon for an ongoing investigation to delay notification so that criminals aren't tipped off," he said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...