Researcher Chris Vickery made the discovery and notified Scottrade.
Researcher Chris Vickery made the discovery and notified Scottrade.

Scottrade Bank publicly confirmed that the personal information of 20,000 customers was inadvertently left open to the public when a third-party vendor uploaded a file to a server without putting the proper security protocols in place.

Cybersecurity researcher Chris Vickery first hinted about the breach on his Twitter feed April 1 saying he was able to download a large bank-related MSSQL database containing plaintext passwords. He followed up the next day saying the bank, eventually named as Scottrade, had responded to his breach notification and patched the problem. Scottrade Bank is a subsidiary of Scottrade Financial Services.

Vickery had agreed to keep the bank's name under wraps for three days.

In an April 5 statement on the data breach Scottrade placed the blame for the incident on Genpact, one of its vendors, who pushed a file to a server containing commercial loan application information of B2B unit that is housed within Scottrade Bank.

“Genpact, a third-party vendor, confirmed that it had uploaded a data set to one of its cloud servers that did not have all security protocols in place. As a result, the data was not fully secured for a period of time,” said Scottrade spokesperson Gail Marold, adding, “Genpact immediately secured that information, and traced the issue to a configuration error on their part while uploading the file.”

No other Scottrade customer information was at risk, the company said, and the breach is being investigated. This will include trying to determine the extent of which the data may have been accessed by unauthorized personnel.

Vickery questioned Scottrade's security practice that lead to the problem.

“Scottrade says API key in database is legacy and decommissioned. Then why was Scottrade still using it actively on day of db dump in Dec.?” he tweeted.

Alex Heid, Chief Research Officer at SecurityScorecard also noted, Scottrade was using a MySQL database that had no password authentication controls in place, but luckily the error discovered shortly thereafter

"This misconfiguration has been the root cause of many of the databases that have been observed circulating within the wild," he told SC Media.