MacKeeper security researcher Chris Vickery discovered the exposed database on March 31. On April 1, he tweeted, “Large MSSQL db fully loaded. It’s as bad as I expected. Bank-related. Plaintext passwords. Big name company. I’ve reached out to them.”
Vickery then followed up soon after with, “Just got off phone with the bank’s tech squad. The issue is being escalated immediately and hopefully will be secured soon.”
The next day, he tweeted, “Bank-related find is verified as secured now. Agreed not to name entity for 3 days. Allowing log investigation and PR prep time.”
The unencrypted database contained 48,000 lessee credit profile rows and 11,000 guarantor rows, according to Salted Hash. Each row held Social Security numbers, names, addresses and phone numbers, as well as plain text passwords and employee credentials for API access to third-party credit reporting services.
Third-Party Human Error
In a statement, Scottrade said third party vendor Genpact confirmed on April 2 that it had uploaded data to a cloud server that didn’t have all security protocols in place. The exposed data included commercial loan application information for a B2B unit of Scottrade Bank, including 20,000 businesses’ and individuals’ private data.
“Upon being alerted to the issue, Genpact immediately secured that information, and traced the issue to a configuration error on their part while uploading the file. … This appears to be a case of isolated human error by the vendor in handling the data set,” Scottrade stated.
In its own statement [PDF], Genpact acknowledged the error and said, “Genpact believes this to be an isolated incident that is unrelated to its broader operations and there are no indicators of any compromise of Genpact’s systems, network, or work for any other clients. Furthermore, this is a discrete issue with no link to any other aspect of Scottrade’s business, since their own systems remain secure and were not involved in this matter.”
Nick Bilogorskiy, senior director of threat operations at Cyphort, told eSecurity Planet by email that vendor and contractor systems are often the weakest link in the chain, as demonstrated by the Target and Walmart breaches, as well as many others.
“In a meeting last week, one CISO of a Fortune 500 company confirmed to me they are quite aware of this trend and internally they monitor vendors very closely, limit access by vendors/contractors, and prioritize security alerts coming from vendor/contractor machines,” Bilogorskiy said. “Still, most companies do not have a process of assessing security third-party partner capabilities before they do business with them.”
And Zohar Alon, CEO of Dome9, said by email that the Scottrade breach exemplifies what he described as the one-strike law for security in the cloud. “In the public cloud, a single vulnerability, security or process lapse is all it takes to expose highly sensitive private data to the world and get datajacked,” he said. “Even with strict security controls in place, breaches such as this still occur due to very basic process failures.”
Less Confident in the Cloud
A recent AlienVault survey [PDF] of 974 RSA Conference 2017 attendees found that one third of respondents described the state of security monitoring within their organizations as “complex and chaotic.”
While 47 percent of respondents would rather monitor a cloud environment than an on-premises network, 42 percent acknowledged that they’re less confident in their ability to detect threats in the cloud than on-premises.
Thirty-nine percent of respondents are using more than 10 different cloud services within their organizations, and 21 percent don’t know how many cloud applications are being used. Forty percent said their IT team isn’t always consulted before a cloud platform is used.
The AlienVault report notes that using the cloud essentially means putting control of your data and infrastructure into the hands of a third party. “Should an issue emerge on their side of the fence, there’s very little you can do about it,” the report states. “Despite this, however, our survey results suggest that a significant number of people do trust the cloud-based services they use and feel confident in their ability to detect threats in the cloud.”