October is National Cyber Security Awareness Month and it kicked off with the wrong kind of bang as Scottrade announced a security breach. The investment accounts and brokerage services firm published a report about a hack that exposed 4.6 million clients to cybercriminals.
A federal investigation revealed that illegal activity involving its network occurred between late 2013 and early 2014, and targeted client names and street addresses, according to a Scottrade statement. Social Security numbers, e-mail addresses and other sensitive data were stored in the breached system, but it appears that the contact information was the hacker’s main focus.
“We have no reason to believe that Scottrade’s trading platforms or any client funds were compromised. Client passwords remained fully encrypted at all times and we have not seen any indication of fraudulent activity as a result of this incident,” the company said in the statement. “We have secured the known intrusion point and conducted an internal data forensics investigation on this incident with assistance from a leading computer security firm. We have taken appropriate steps to further strengthen our network defenses.
This Is Mindboggling
We turned to Mark Bower, global director of product management, enterprise data security for HP Data Security, to get his reaction to the data breach. He told us it’s almost mindboggling that yet another major data breach has been revealed in less than a week. He was referring to news of last week’s Experian data breach that exposed 15 million T-Mobile customers to hackers.
“In this case, while the passwords may remain safe, one has to ask if the customers’ personal data was protected in the same manner,” Bower said. “With the available technologies today to protect sensitive data very easily and quickly, it’s a simple matter to cover all sensitive databases to protect consumer trust and satisfaction.”
Bower said it’s important that businesses follow best practices of encrypting all sensitive and regulated data as it enters their ecosystems, and have the protection follow the data at rest, in use and in motion. He said this is especially urgent in the financial services industry and with data processors.
New Table Stakes ‘Take’
Casey Ellis, CEO of Bugcrowd, a firm that helps organizations like Pinterest, Telsa and Western Union run crowdsourced security programs, told us he’s watching one thing closely: a trend away from credit card data — or the table stakes “take” of the cybercriminal — toward personal data.
“There has been a shift in targeting, which to me signals a shift in the way criminals are calculating their return on investment in these hacks,” Ellis said. “It also indicates that criminals are becoming more efficient in capitalizing personal data, which is interesting, too. Extracting a gain from personal information at scale is far more cumbersome than pulling money from a stolen credit card.”