Brokerage firm Scottrade recently began notifying approximately 4.6 million customers that their personal information may have been exposed when hackers accessed the company's network "for a period of several months between late 2013 and early 2014."
Scottrade says it believes the attackers took client names and street addresses, but no other data.
"Although Social Security numbers, email addresses and other sensitive data were contained in the system accessed, it appears that contact information was the focus of the incident," Scottrade said in a statement. "We have no reason to believe that Scottrade's trading platforms or any client funds were compromised. Client passwords remained fully encrypted at all times and we have not seen any indication of fraudulent activity as a result of this incident."
"We have secured the known intrusion point and conducted an internal data forensics investigation on this incident with assistance from a leading computer security firm," the company added. "We have taken appropriate steps to further strengthen our network defenses."
All those affected are being offered free access to one year of identity protection services from AllClear ID.
Scottrade spokesperson Shea Leordeanu told investigative reporter Brian Krebs that the company learned of the breach from the FBI.
"Federal authorities should not be the avenue with which companies are discovering they may have been breached," Securonix director of insider threat Stewart Draper told eSecurity Planet by email. "In 2014 Scottrade was fined for failure to provide complete trade logs, blamed on an internal IT error from a migration. Accountability for these mistakes need to be taken at the highest levels of the organization to help drive awareness and improvement in security defense."
Bugcrowd CEO Casey Ellis said by email that it's worth noting that cybercriminals appear to be changing their focus from credit card data to personal information. "There has been a shift in targeting, which to me signals a shift in the way criminals are calculating their return on investment in these hacks," he said.
"It also indicates that criminals are becoming more efficient in capitalizing personal data, which is interesting too," Ellis added. "Extracting a gain from personal information at scale is far more cumbersome than pulling money from a stolen credit card."
Mark Bower, global director of product management for enterprise data security at HP Security Voltage, added that it's crucial for companies to protect and encrypt all sensitive customer information, not just passwords. "It’s important that businesses follow best practices of encrypting all sensitive and regulated data as it enters their ecosystems, and have the protection follow the data at rest, in use and in motion," he said. "This is especially urgent in the financial services industry and with data processors."
"Beyond the threat to customers' sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line," Bower added. "A data-centric approach to security is the industry-accepted cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks."
A recent eSecurity Planet article offered six tips for stronger encryption.