Following news this week that hackers stole data on 15 million T-Mobile customers comes a new report that 4.6 million customers of the St. Louis-based brokerage firm Scottrade may have also been hit in a different breach.
The retail brokerage firm disclosed to customers in an email today, and in a notice on its web site, that it suffered a database breach that occurred between late 2013 and early 2014, but the company only learned of it recently when law enforcement agents notified Scottrade that it was investigating a rash of breaches involving financial services firms, according to spokeswoman Shea Leordeanu.
The company said that the thieves appeared to have access to the network for several months between late 2013 and February 2014.
The breach went undetected until the FBI recently notified Scottrade in late August that it had been hacked, Leordeanu told WIRED.
"They initially asked us to not share the information with our customers so that they could complete a part of their investigation," she said. "We were then alerted last Friday that it was all right to begin notifying our clients and we began to do that as quickly as possible."
The news was first reported by KrebsonSecurity.
Scottrade currently has 3.1 million customers according to Leordeanu, but the breach exposed the personal data of about 4.6 million people who had accounts before February 2014. Although the database contained names, addresses, email addresses and Social Security numbers of customers, the company indicated that the hackers appeared to exfiltrate only names and addresses of customers.
Asked if the company is aware of exactly how many names and addresses were exfiltrated, Leordeanu said, "We actually don't and … the reality is we may simply never know that number. So we have decided to notify everyone who could have been impacted."
The company said that it had "no reason to believe that Scottrade’s trading platforms or any client funds were compromised." Instead, it appeared that only contact information was the focus of the attack.
"All client passwords remained encrypted at all times," the company wrote in its email and web site notice. "We have not seen any indication of fraudulent activity as a result of this incident."
Leordeanu said that even though it appears that only names and addresses were taken, "we are offering [customers] a full year of identity theft protection."
