Hacker imperils data of 140,000 Scottrade clients

November 29, 2005

By Jack Naudi, St. Louis Post-Dispatch


An Internet hacker might have gained access to personal and financial data of about 140,000 customers of Scottrade Inc., a stock brokerage based in St. Louis County.

Scottrade said Tuesday that the breach involved the company's eCheck Secure service, which allowed customers to electronically shift funds to their Scottrade accounts from their banks.

Possible exposed information included names, birth dates, drivers license numbers, phone numbers, bank names, bank routing numbers, bank account numbers and Scottrade account numbers.

The eCheck service was provided by Scottrade through a third party, Troy Group Inc. of Santa Ana, Calif. Troy, which offers eCheck to several financial-services companies, publicly reported the breach on Oct. 25 and notified Scottrade the same day.

A Scottrade official said Tuesday that the company discontinued its six-year-old eCheck services shortly after that and began notifying customers.

Scottrade has 1.2 million customers, but only those who used the eCheck system were at risk.

It's unclear what, if any, information might have been compromised, said Ellis Hough, risk manager at Scottrade.

"Troy Group was able to provide us with the fact that their servers were possibly compromised and accessed," Hough said. "That's all they've been able to share with us. ... There is no evidence that any information was actually removed from Troy servers and misused."

After announcing that "a computer hacker has compromised its eCheck servers," Troy has provided no further details. The company said at the time that it filed a report with the FBI.

A Troy executive didn't return a call Tuesday for comment.

Scottrade recommended in a letter that customers who used eCheck contact their banks. In addition, customers should contact credit agencies to have a fraud alert put into their files.

Hough said Scottrade was looking for an alternate service to eCheck, adding that he doubted the firm would return to Troy.

[an error occurred while processing this directive]