A financial consultancy firm has been fined $375,000 by US authorities for a series of failures that enabled a criminal gang to hack into its database and steal the confidential information of nearly 200,000 customers.
The Financial Industry Regulatory Authority (Finra) handed DA Davidson the fine for failing to protect the information - including customer account numbers, social security numbers, names, addresses, dates of birth - of 192,000 people.
The firm's database was breached on the 25 and 26 of December, 2007, when an unidentified assailant carried out a simple SQL injection attack to download customer details.
The attacks were visible on Web server logs but DA Davidson failed to review them, says Finra. In fact, the firm only became aware of the breach on 16 January, when the hacker sent an e-mail in a blackmail attempt.
The company then reported the attack to authorities and helped the Secret Service identify four members of an international group suspected of the hack. Of these, three have been extradited from Eastern Europe, arrested and are facing charges in federal court in Montana.
Finra praised DA Davidson's response to the hack but slammed the firm for earlier failures, accusing it of not putting adequate safeguards in place to protect the security of customer records and information stored in a database housed on a computer Web server with a constant open Internet connection. The database was not encrypted and DA Davidson even failed to activate the password, leaving the default blank one in place.
These failures occurred despite the fact that between April 2006 and October 2007 the firm had retained independent auditors and outside security consultants to review and audit its network security. DA Davidson acted on most security recommendations received but crucially ignored one, failing to install an intrusion detection system.
James Shorris, executive director, enforcement, Finra, says: "Broker-dealers must be especially vigilant about protecting its customers' confidential information, which includes ensuring that its technology is sufficient. In this case, the firm placed its database containing confidential customer information on a server that was perpetually exposed to the Internet, but failed to implement basic safeguards to protect that data - even though the firm had been advised before this incident to implement an intrusion detection system."