[BreachExchange] Scottrade hit with new class action suit over 2013 Data Breach

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 9 19:21:44 EDT 2017


The latest in a series of class action suits was filed against Scottrade in
a Florida court late last week claiming that the financial brokerage failed
to take appropriate measures to protect its customers' personal information
that could have prevented a data breach that exposed the personal
information of millions of customers.

This suit, which has Florida resident Angela Lynn Martin named as the
primary plaintiff, was brought before the Circuit Court of the Sixth
Judicial Circuit in and for Pasco County, Florida. The exact amount that is
being sought is not yet known, but according to court documents it will be
in excess of $15,000.

The plaintiff's lead attorney Tim Blood, of Dogali Law, estimated to SC
Media that the number of people included in this class-action suit to be
about 300,000. Overall, about 4.6 million Scottrade customers were affected
by the data breach. Class action suits based on this breach also have been
filed in Missouri and California.

When Scottrade began notifying its customers of the breach it offered to
pay for one year of credit monitoring through AllClear ID to include a $1
million identity theft insurance policy, which Martin's lawyer said in the
legal documents, “does not provide comprehensive protection to the affected

The plaintiffs also claim in the suite that Scottrade did not notify those
affected as quickly as possible, pointing out that the FBI told Scottrade
of the hack on about September 25, 2015, but the company waited a week
before sending out any notices informing them of the breach.

The court documents state that between September 2013 to February 2014
hackers were able to access and export its customer's personally
identifiable information. Specifically, it is stated that Martins'
information was taken and used by unauthorized individuals causing her
financial harm.

Martins' lawyers are arguing that Scottrade did not enact strict enough
cybersecurity protocols to protect her and the other plaintiff's data as
the company was contractually obligated.

The court documents noted that the Scottrade hack took place when one
hacker provided another with a single account login, which that person was
then able to use to gain access to Scottrade's entire network.

“Once inside Scottrade's networks, the hackers had the ability to move from
application to application until they found the sensitive data they
desired. The hackers too the PII for the purposes of building their own
customer database for marketing and brokering stock transactions,” the
court documents stated.

The end result of the scheme was to use the Scottrade customer data as part
of a stock manipulation scheme that netted the hackers millions of dollars.

In other Scottrade news, Scottrade Bank publicly confirmed that the
personal information of 20,000 customers was inadvertently left open to the
public when a third-party vendor uploaded a file to a server without
putting the proper security protocols in place.

Scottrade has not responded to a request by SC Media to respond for this
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170509/095e0ed8/attachment.html>

More information about the BreachExchange mailing list