Hacked Server Exposes Brokerage Customers’ Data

Online brokerage Scottrade says a server compromise at a service provider may have exposed the financial details of its customers, including banking account information and Social Security numbers. The security breach follows warnings from U.S. securities regulators that hackers and phishing fraudsters have stepped up their targeting of online investors, prompting enhanced education efforts by brokerage firms and the U.S. government.

Scottrade, which has 1.4 million customers, said it was notified Oct. 25 that a hacker had compromised a server at eCheck Secure, an electronic payment service provided by The Troy Group Inc. "As a result, some of your personal information, including your name, driver's license or state ID number, date of birth, phone number, bank name, bank code, bank number, bank routing number, bank account number and Scottrade account number may have been compromised," read the message to investors.

The Troy Group said it had reported the intrusion to the FBI, and hired a professional forensic analysis firm to aid in the investigation. eCheck Secure allows Internet merchants and financial institutions to accept checks online or in call centers. The eCheck Secure web site runs on Windows 2000 and IIS 5.0.

Little-known third-party service providers have figured in high-profile incidents that have exposed customer data. In June, a security breach at CardSystems Solutions exposed more than 40 million credit card accounts to potential theft, including customers of MasterCard, Visa, Discover and American Express.

Netcraft audits financial web applications for design errors and erroneous functionality. These tests are among a range of security services, including automated vulnerability tests of Internet-connected networks and a suite of anti-phishing measures.