Because a third-party vendor uploaded a file to a server without putting the proper security protocols in place, 20,000 Scottrade Bank customers personal information was inadvertently left open to the public.

Cybersecurity researcher Chris Vickery came across the database on April 1st. Vickery had agreed to keep the bank's name under wraps for three days, which allowed the bank time to patch the flaw.

Scottrade placed the blame for the incident on Genpact, one of its vendors. “Genpact, a third-party vendor, confirmed that it had uploaded a data set to one of its cloud servers that did not have all security protocols in place. As a result, the data was not fully secured for a period of time,” said Scottrade spokesperson Gail Marold, adding, “Genpact immediately secured that information, and traced the issue to a configuration error on their part while uploading the file.”

The breach is being investigated which will include trying to determine the extent of which the data may have been accessed by unauthorized personnel.

Vickery questioned Scottrade's security practice: “Scottrade says API key in database is legacy and decommissioned. Then why was Scottrade still using it actively on day of db dump in Dec.?”

Source: SCMagazine