St. Louis-based retail brokerage firm Scottrade has been hacked. The social security numbers, email addresses, street addresses, and other sensitive information of at least 4.6 million customers was accessed.


The data was stolen between late 2013 and early 2014. Scottridge is now offering a year of free credit monitoring for people affected. If that sounds familiar, you may be thinking of yesterday’s news: T-Mobile is also offering free credit monitoring for the 15 million people at risk after a breach of its credit reporting vendor Experian.

Security researcher Brian Krebs talked to a Scottrade spokesperson Shea Leordeanu about the hack. Leordeanu didn’t offer any new information, except that the company learned about the breach from the FBI.


Scottrade issued a notice about the breach, emphasizing that its encrypted passwords appear safe. That may not be much comfort to the millions of people whose basic identifying information was hijacked.

Here’s the full notice from Scottrade’s website:

Federal law enforcement officials recently informed us that they’ve been investigating cybersecurity crimes involving the theft of information from Scottrade and other financial services companies. Based on our investigation and information provided by federal authorities, we believe the illegal activity involving our network occurred between late 2013 and early 2014, and targeted client names and street addresses. Although Social Security numbers, email addresses and other sensitive data were contained in the system accessed, it appears that contact information was the focus of the incident.

We have no reason to believe that Scottrade’s trading platforms or any client funds were compromised. Client passwords remained fully encrypted at all times and we have not seen any indication of fraudulent activity as a result of this incident.

We have secured the known intrusion point and conducted an internal data forensics investigation on this incident with assistance from a leading computer security firm. We have taken appropriate steps to further strengthen our network defenses.

As a precaution, however, we are directly notifying and offering identity protection services to approximately 4.6 million clients whose information was in the targeted database. We take the security of the information entrusted to us very seriously and are fully cooperating with law enforcement in its investigation and efforts to bring the perpetrators to justice.



[Krebs on Security]