Online brokerage Scottrade has admitted sensitive loan applications from roughly 20,000 customers were exposed to the world by a fumble-fingered third-party supplier.
The cockup occurred when IT services biz Genpact uploaded the sensitive information to an Amazon-hosted server and didn't lock the box down – allowing its contents to be potentially extracted by anyone passing by.
Security researcher Chris Vickery found the stash while looking around the 'net, and downloaded the 158.9GB Microsoft SQL database before calling Scottrade to advise the finance house that it has a problem.
Large MSSQL db fully loaded. It's as bad as I expected. Bank-related. Plaintext passwords. Big name company. I've reached out to them.— Chris Vickery (@VickerySec) April 1, 2017
After Vickery alerted the biz, Scottrade started digging into the situation and found the cause – a staffer at Genpact who misconfigured the SQL server and is quite possibly updating their resume at the moment. The leaky database has now been tucked away from public view, and Scottrade has issued an apology.
"Upon being alerted to the issue, Genpact immediately secured that information, and traced the issue to a configuration error on their part while uploading the file," Scottrade said in a statement.
"Genpact is undertaking an extensive analysis of the log files and the environment to determine to what extent the data may have been accessed. It has engaged a leading forensics firm to assist in the analysis."
Scottrade hasn't said exactly what information was contained in the database despite prodding from The Reg for details. Vickery said account passwords were stored in plain text, and it appears that names, addresses and social security numbers were all included.
Genpact and Scottrade both stressed that their internal servers weren't hacked. Anyone who has asked the group for a business loan might want to get in touch and find out if their data was on the list.
It's not the first time that Scottrade has been a little loose with customer data. In 2015, the FBI contacted them about a data breach in the previous two years that exposed 4.6 million of its customers' bank accounts, forcing a hasty lockdown and customer alert.
Brokerage houses and financial institutions are a particular target for information slurpers, and not just for emptying bank accounts. A mailing list of investors is very useful for pump-and-dump stock scammers and such frauds have been on the rise of late. ®
Sponsored: Ransomware has gone nuclear