Scottrade Bank’s breach underlines third-party vendor risk
When Scottrade Bank recently confirmed a data breach that exposed nonpublic information of 20,000 consumer and business customers, it did something unusual.
Instead of offering no explanation or a vague description of what happened, waiting for a full investigation to reveal the details, the St. Louis bank immediately pointed the finger at one of its vendors.
“On April 2, Genpact, a third-party vendor, confirmed that it had uploaded a data set to one of its cloud servers that did not have all security protocols in place,” the bank said in a statement late last week. “As a result, the data was not fully secured for a period of time.”
The SQL file contained commercial loan application information for a business-to-business unit of Scottrade Bank. The bank said Genpact immediately secured the information and traced the issue to a configuration error on the vendor’s part while uploading the file.
Genpact declined a request for an interview, but offered this statement: “Genpact takes data protection very seriously. As soon as we learned of this matter, we immediately secured the data file. We are conducting an analysis to identify the extent to which the data may have been accessed, and have also engaged with a leading forensics firm to help us in this regard. We believe this is an isolated incident and there is no indication that any other clients or operations were impacted.”
The exposure of the database was discovered by MacKeeper researcher Chris Vickery on March 31, in the course of searching for random phrases on the domain s3.amazonaws.com.
“It's as bad as I expected,” he tweeted. “Bank-related. Plaintext passwords. Big name company. I've reached out to them.” The next day he tweeted: “Bank-related find is verified as secured now. Agreed not to name entity for 3 days. Allowing log investigation and PR prep time."
Large MSSQL db fully loaded. It's as bad as I expected. Bank-related. Plaintext passwords. Big name company. I've reached out to them.
— Chris Vickery (@VickerySec) April 1, 2017
The bank said none of the bank’s systems were affected by the breach.
This is not the first time a vendor has accidentally compromised bank data. The most famous third-party data breach in recent years is Target. Hackers first breached one of the retailers’ heating and air conditioning vendors, and from there, through a billing system, broke into Target’s servers to steal data on 40 million credit and debit cards and personally identifiable information of 70 million shoppers. Target has been sued more than 140 times by banks, consumers and shareholders since the 2013 breach.
In the bigger picture, not only is vetting and monitoring third parties an increasingly important priority for banks, but so is encrypting all sensitive information at all times. New York State regulators have emphasized this in their new cybersecurity rules.
“Inadvertently exposed databases with sensitive information are not a new problem,” said Tim Erlin, senior vice president of IT security and risk strategist for the cybersecurity firm Tripwire. “Any organization that collects and stores sensitive data needs to be able to keep track of where that data is and how that data is exposed.” Access methods to data also have to be secure, he added.
Scottrade has agreed to be sold to TD Ameritrade. It’s unclear if the breach will affect the $4 billion deal, which is to close next quarter.