Expert Opinions on Scottrade breach that exposed personal information of 4.6 million customers

Brian Krebs recently reported that online stock brokerage Scottrade has suffered a breach that exposed the personal information of 4.6 million customers.

Scottrade officials said in an online advisory that the breach happened in late 2013 or early 2014 and exposed social security numbers, e-mail addresses and “other sensitive information.” The advisory said the attackers appeared to target client names and street addresses. The notice never made it clear if password data was also accessed, but unhelpfully, the officials said, “Client passwords remained fully encrypted at all times and we have not seen any indication of fraudulent activity as a result of this incident.”

Now that more of the details are available, @DFMag got the following opinions from security experts;

Mark Bower, global director, HP Security Voltage:

“It’s almost mind-boggling that yet another major data breach has been revealed in less than a week. In this case, while the passwords may remain safe, one has to ask if the customers’ personal data was protected in the same manner. With the available technologies today to protect sensitive data very easily and quickly, it’s a simple matter to cover all sensitive data bases to protect consumer trust and satisfaction. It’s important that businesses follow best practice of encrypting all sensitive and regulated data as it enters their ecosystems, and have the protection follow the data-at-rest, in-use and in-motion. This is especially urgent in the financial services industry and data processors.

Beyond the threat to customers’ sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line.  A data-centric approach to security is the industry-accepted cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks.

Once again, this underscores the need for companies to protect the sensitive information they hold on their customers. While it’s not clear who is responsible, criminals are always looking for a way to exploit a system in a way that they can then turn stolen data into cold hard cash.  In this case there is a further risk in that personal information about the user such as their name, full address, phone number and email address was taken.  Criminals could then use this information or sell it on for use in more targeted larger-scale spear-phishing or identity theft attacks.”

Ryan Wilk, director, NuData Security:

“The reported breach of Scottrade continues to intensify doubts of our personal information being safe . The breach has potentially compromised sensitive data of 6.4 million customers, in a week following the report of hackers stealing data from 15 million T-Mobile customers.

The Scottrade database contains social security numbers, email addresses, and other sensitive information, but it appears, according to Scottrade, that the hackers targeted names and addresses.

The breach is of extreme concern due to 1) the expanse of the breach and 2) the personally identifiable information (PII) that was potentially compromised and 3) speculating other potential intent of the hackers.

What victims of a breach don’t always recognise is that every bit of information is important. Coupled with details from another breach, more comprehensive identities can be built and sold for a higher value to hackers. To authenticate people applying for credit, loans, mortgages and other financial services, banks will ask questions based on information in these compiled records.  Additionally, this using this information could be used to manipulate stock prices in a pump and dump scheme.

This breach is yet another indicator that the time has come for the next evolution in our game of cat and mouse with the fraudsters – and there are two potential strategies:

Put individual responsibility on each and every organisation to deploy CIA level security. (Not a realistic strategy, and even the CIA has been hacked)
Take an industry wide approach to make the data useless to the fraudsters. The second approach interests me. Even if the data is accurate, if they can’t use it because better technology prevents them there will be no economic incentive to seek it out.

Some organisations are already at the forefront of leveraging solutions that employ behavioural biometrics to uncover the true identity of the user behind the device.  This analysis of user behaviour serves as a means of understanding how legitimate users truly act. They can easily identify suspicious activity, potentially coming from a fraudster who has procured legitimate account credentials from breaches or other sources.

This breach will definitely and seriously undermine trust in Scottrade. This continues the evolution of an era in which to better protect against fraud, a “layered approach” for identity proofing is needed as recommended by Gartner.”