The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
Recent Posts
- Privacy laws block help path to teens
- Dutch Court Orders Lycos To Reveal Client's Identi...
- Study of information practices of US companies
- Army's proposed database of sexual assault victims...
- Denver woman charged for not showing ID to securit...
- BC Legislature Committee recommends re-appointment...
- Privacy Battle Could Halt European Flights to U.S....
- Entertainment industry accused of 'trying to hijac...
- Alberta bar to continue scanning IDs despite Commi...
- No blame in case of info leaked to US prisoner
On Twitter
About this page and the author
The author of this blog,
David T.S. Fraser, is a Canadian privacy lawyer who practices with the
firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
Privacy Calendar
Archives
- January 2004
- February 2004
- March 2004
- April 2004
- May 2004
- June 2004
- July 2004
- August 2004
- September 2004
- October 2004
- November 2004
- December 2004
- January 2005
- February 2005
- March 2005
- April 2005
- May 2005
- June 2005
- July 2005
- August 2005
- September 2005
- October 2005
- November 2005
- December 2005
- January 2006
- February 2006
- March 2006
- April 2006
- May 2006
- June 2006
- July 2006
- August 2006
- September 2006
- October 2006
- November 2006
- December 2006
- January 2007
- February 2007
- March 2007
- April 2007
- May 2007
- June 2007
- July 2007
- August 2007
- September 2007
- October 2007
- November 2007
- December 2007
- January 2008
- February 2008
- March 2008
- April 2008
- May 2008
- June 2008
- July 2008
- August 2008
- September 2008
- October 2008
- November 2008
- December 2008
- January 2009
- February 2009
- March 2009
- April 2009
- May 2009
- June 2009
- July 2009
- August 2009
- September 2009
- October 2009
- November 2009
- December 2009
- January 2010
- February 2010
- March 2010
- April 2010
Links
Blogs I Follow
Small Print
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Saturday, November 26, 2005
Incident: Hacker hits Troy Group's eCheck Secure service, affects customers of Scot Trade online brokerage
Thanks to Brian Krebs on Computer and Internet Security for pointing me to this story ...
One of the largest online brokerage houses in the United States has started informing a large group of its customers that a hacker has obtained access to information on customers of Troy Group's eCheck Secure service, which is used by a number of Scot's customers to settle their accounts. Scot is the fifth or sixth largest such service provider in the US. Customers received the following letter:
Scottrade:November 11, 2005
Re: Alert for users of the eCheck Secure™ Service
Dear Customer:
We are contacting you to inform you that Scottrade has experienced a data security issue with the eCheck Secure™ service. Our records indicate that you have used eCheck Secure™ for the purpose of electronically moving funds from your bank to Scottrade. We will detail what we know about the situation and also what steps you should consider taking to safeguard your information.
On October 25, 2005, Troy Group Inc., the provider of the eCheck Secure™ service and other services to the financial services industry, reported to us that a computer hacker had compromised its eCheck Secure™ servers. As a result, some of your personal information, including your name, driver's license or state ID number, date of birth, phone number, bank name, bank code, bank number, bank routing number, bank account number and Scottrade account number may have been compromised. If you used your Social Security number as your driver's license or state ID number, your Social Security number may have been compromised as well. We do not know whether the hacker has actually accessed and/or used any of your personal information. However, Troy has notified us that it has blocked further unauthorized access to the information. The eCheck Secure™ service cannot be used to withdraw funds from your Scottrade account. Troy has filed a report with the FBI and is investigating in conjunction with a forensic analysis firm that it has retained. Scottrade has also contacted the FBI on this matter, and has a dedicated team to work on this issue and assist our customers who may have been affected.
We suggest taking the following steps for all your accounts that have eCheck Secure™ activated.
- Contact your local Scottrade branch office for additional information or to change your Scottrade account number. If it is not possible or convenient for you to contact your local Scottrade branch office, then you can reach our Service Center at 866-476-6500. Our Service Center is open Monday - Friday, 7 a.m. to 11 p.m. EST. Although this is not a situation where Scottrade's network was breached, you may, nevertheless, want to consider changing your Scottrade account number for additional protection.
- Remember to review your Scottrade account activity regularly and statement promptly. Report any suspicious activity to us.
- Although this was not an Internet security issue, you may want to change your Scottrade account access password periodically (a secure password that is easy for you to remember, but difficult for others to guess) by using our online change password process.
- Since your bank information could have been accessed, contact your bank immediately so it is aware of the situation and can monitor for unusual activity in your bank account.
- Review your bank activity and statements promptly to detect and prevent fraud. Look for transactions with strange payees or amounts you do not recognize. The more frequently you review your activity and statements, the easier it will be to detect suspicious transactions.
- If you use your Social Security number for your driver's license or state ID card, we strongly urge you to change your account number and place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. For more information on placing a fraud alert on your credit file, please see www.scottrade.com/security, a website that we have dedicated to this issue.
We are extremely sorry about this matter and will strive to rectify the situation to the best of our abilities. If you have any questions or concerns, please contact us, so we may be of assistance.
Sincerely,
Ellis Hough
Manager
Risk Management
I haven't heard of any other eCheck customers being notified.
Labels: information breaches, law enforcement
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.
