The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Saturday, November 26, 2005
Thanks to Brian Krebs on Computer and Internet Security for pointing me to this story ...
One of the largest online brokerage houses in the United States has started informing a large group of its customers that a hacker has obtained access to information on customers of Troy Group's eCheck Secure service, which is used by a number of Scot's customers to settle their accounts. Scot is the fifth or sixth largest such service provider in the US. Customers received the following letter:
November 11, 2005
Re: Alert for users of the eCheck Secure™ Service
We are contacting you to inform you that Scottrade has experienced a data security issue with the eCheck Secure™ service. Our records indicate that you have used eCheck Secure™ for the purpose of electronically moving funds from your bank to Scottrade. We will detail what we know about the situation and also what steps you should consider taking to safeguard your information.
On October 25, 2005, Troy Group Inc., the provider of the eCheck Secure™ service and other services to the financial services industry, reported to us that a computer hacker had compromised its eCheck Secure™ servers. As a result, some of your personal information, including your name, driver's license or state ID number, date of birth, phone number, bank name, bank code, bank number, bank routing number, bank account number and Scottrade account number may have been compromised. If you used your Social Security number as your driver's license or state ID number, your Social Security number may have been compromised as well. We do not know whether the hacker has actually accessed and/or used any of your personal information. However, Troy has notified us that it has blocked further unauthorized access to the information. The eCheck Secure™ service cannot be used to withdraw funds from your Scottrade account. Troy has filed a report with the FBI and is investigating in conjunction with a forensic analysis firm that it has retained. Scottrade has also contacted the FBI on this matter, and has a dedicated team to work on this issue and assist our customers who may have been affected.
We suggest taking the following steps for all your accounts that have eCheck Secure™ activated.
- Contact your local Scottrade branch office for additional information or to change your Scottrade account number. If it is not possible or convenient for you to contact your local Scottrade branch office, then you can reach our Service Center at 866-476-6500. Our Service Center is open Monday - Friday, 7 a.m. to 11 p.m. EST. Although this is not a situation where Scottrade's network was breached, you may, nevertheless, want to consider changing your Scottrade account number for additional protection.
- Remember to review your Scottrade account activity regularly and statement promptly. Report any suspicious activity to us.
- Although this was not an Internet security issue, you may want to change your Scottrade account access password periodically (a secure password that is easy for you to remember, but difficult for others to guess) by using our online change password process.
- Since your bank information could have been accessed, contact your bank immediately so it is aware of the situation and can monitor for unusual activity in your bank account.
- Review your bank activity and statements promptly to detect and prevent fraud. Look for transactions with strange payees or amounts you do not recognize. The more frequently you review your activity and statements, the easier it will be to detect suspicious transactions.
- If you use your Social Security number for your driver's license or state ID card, we strongly urge you to change your account number and place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. For more information on placing a fraud alert on your credit file, please see www.scottrade.com/security, a website that we have dedicated to this issue.
We are extremely sorry about this matter and will strive to rectify the situation to the best of our abilities. If you have any questions or concerns, please contact us, so we may be of assistance.
I haven't heard of any other eCheck customers being notified.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.