The data breach is believed to have exposed the data of more than 20,000 customers to the public.
The unencrypted database reportedly included the 48,000 lessee credit profile rows and as many as 11,000 guarantor rows, with each row containing sensitive information such as Social Security Numbers, names, addresses, phone numbers, etc.
MacKeeper researcher Chris Vickery discovered the compromised database on March 31 and said he immediately contacted Scottrade Bank about the issue. Two days later, Vickery confirmed that the problem was resolved by the Scottrade Bank security team who secured the data.
Vickery told CSO that the database also contained internal company information, such as employee credentials used for API access and plain text passwords.
Scottrade spokesperson Shea Leordeanu said it only tool six hours for the database to be secured and that an investigation is ongoing.
“We are a customer-focused company, and will always act in their best interests,” Leordeanu said in a statement.
“On April 2, Genpact, a third-party vendor, confirmed that it had uploaded a data set to one of its cloud servers that did not have all security protocols in place. As a result, the data was not fully secured for a period of time. The file contained commercial loan application information of a small B2B unit within Scottrade Bank, including non-public information of as many as 20,000 individuals and businesses. Upon being alerted to the issue, Genpact immediately secured that information, and traced the issue to a configuration error on their part while uploading the file," the statement explained.
Scottrade maintains that the incident was caused by human error and that its systems remain secure.
“This appears to be a case of isolated human error by the vendor in handling the data set. It is important to note that we hold all of our third-party vendors to rigorous information security standards. The vendor has acknowledged responsibility for this incident,” Scottrade said.