U.S. discount brokerage firm Scottrade has confirmed that a third-party data breach inadvertently exposed 20,000 of its customers’ non-public information.
On or around 1 April, security researcher Chris Vickery came across a 158.9GB Microsoft SQL database on the web. The database contained loan application information of a B2B unit within Scottrade along with the private information of 20,000 individuals and businesses. It’s not clear what information this file exactly contained. But Vickery told The Register that it contained names, addresses, Social Security Numbers, and even customers’ plaintext passwords.
Large MSSQL db fully loaded. It's as bad as I expected. Bank-related. Plaintext passwords. Big name company. I've reached out to them.
— Chris Vickery (@VickerySec) April 1, 2017
True to his tweet, the security researcher contacted Scottrade about his discovery. The discount brokerage firm responded by digging into the situation. It didn’t take long for its teams to learn what had happened.
Scottrade works with several third-party vendors to serve its customers. One of those vendors, Genpact, works within the firm’s B2B bank unit and has access to associated company information. Around the time of Vickery’s discovery, a staffer at Genpact uploaded Scottrade’s database to an Amazon-hosted SQL server. But the company’s analysis reveals the worker didn’t take adequate safeguards to lock down the server. This negligence made the information available for public viewing on the web.
Genpact has accepted full responsibility for the incident. As Scottrade explains in a company statement:
“Genpact immediately secured that information, and traced the issue to a configuration error on their part while uploading the file. Genpact is undertaking an extensive analysis of the log files and the environment to determine to what extent the data may have been accessed. It has engaged a leading forensics firm to assist in the analysis.”
The vendor is also working closely with Scottrade in verifying that all risks to customers are addressed.
This isn’t the first time the discount brokerage firm has experienced a security incident. In October 2015, Scottrade confirmed a data breach that exposed the information of approximately 4.6 million customers.