Thoughts From The Scottrade Breach

Given the number of breaches that have happened in the last couple of years, many people have probably forgotten about the Scottrade breach.  To refresh your memory, back in 2013 hackers breached the Scottrade customer database and had their way with the credentials of 4 million plus customers.

Between September 2013 and February 2014, the hackers exfiltrated – a fancy word for stole – credentials for 4.6 million Scottrade customers.   While Scottrade has been very cagey as to exactly what was taken, the database breached contained name and address information, social security numbers, passwords and other sensitive data, whatever that means.

Scottrade was unaware of the breach and the only reason they ever found out about it is that the FBI came knocking on their front door one day in August 2015 and said, we’re from the government and…. In this case, they were not exactly there to help them, but rather to be the bearer of bad news.

What is also unclear is what happened between February 2014 when data was no longer being taken and August 2015 when the FBI came knocking on Scottrade’s door.  My guess is that there was no data left to steal.

The FBI asked them not to notify their customers until October of 2015 so they could complete their investigation.  Since, at the time the FBI showed up the hackers had been in the system for two years, what difference could a couple of months make?

A couple of relevant thoughts.

  • Scottrade is a financial services firm.  The fact that hackers had free roam of their system from September 2013 to August 2015 and they did not know it, is a bit disconcerting.  On the other hand, if a hacker was inside your system, would you know it?
  • It appears that Scottrade is not exactly sure what was accessed and what was taken.  That doesn’t inspire confidence either.  Again, if hackers were inside your system, would you know what data they had accessed?
  • The hacker(s) exfiltrated data on 4.6 customers.  While we do not know where this data was sent and they probably have customers all over the world, Scottrade did not detect their customer data dribbling out of their system.  Would you detect data being exfiltrated by hackers?

So, in summary, Scottrade never knew hackers were in their system for two years (until the FBI told them), don’t know what data was taken and did not detect the data being exfiltrated.  For a large financial services firm, this is a concern.  However, if your company was in the same position, would be in any better position?

That was all background.  Now on to the reason for the post.

Scottrade, like many companies who have been breached, was sued by their customers.  The customers alleged breach of contract, breach of implied contract, negligence and violations of multiple consumer protection statutes.

The Constitution requires that, in order to sue, you have to prove that you have suffered an injury, that the injury is fairly traceable to the conduct of the defendant and that a judicial decision will provide redress.  This is where most of the breach class action lawsuits get in trouble.  Since the credit card companies give you back your money in the case of fraud and even give you a new card, what, exactly, is your injury.

One creative breached company even went so far as to say “how do you know the credit card fraud was a result of our breach and not some other breach”.  Prove that hacker that used your card obtained it as a result of the breach we had and not some other breach, maybe unknown.  This, of course, is impossible.

This forces people to go towards loss of time, purchasing identity protection insurance, and risk of future harm. In this case, it appears that the hackers were interested in account information – so that they could spam Scottrade’s clients or possibly commit identity theft – no credit card data was believed to be taken, so there were no fraudulent credit card charges.

This made the lawyers really stretch.  They said that they didn’t get the full benefit of the Scottrade relationship since, as a result of the breach, their relationship was less valuable then they had bargained for and lastly, and this is a real stretch, as a result of the breach, their information became less valuable since someone else was already selling it and they were less able to monetize their data.

The last one is lawyering at it’s best.  They are complaining that because someone else is trafficking in their stolen information, they couldn’t traffic in their own data – which they allege was private and they would be harmed if it was used.  That claim makes my head hurt.

A few weeks ago the District Court for the Eastern District of Missouri, granted Scottrade’s motion to dismiss.

What is unclear is whether Scottrade lost customers as a result of the breach.  If I were in the market for an online broker, I would likely pick one that had not been breached over one that allowed hackers free roam of their system for two years and didn’t know.  Just my preference.

The useful lesson here for businesses is to understand how you would answer the questions in the bullets above.

Information for this post came from JDSupra.

Leave a Reply

Your email address will not be published.