Monday, April 12, 2010
FINRA announced that it has fined D.A. Davidson & Co., of Great Falls, MT, $375,000 for its failure to protect confidential customer information by allowing an international crime group to improperly access and hack the confidential information of approximately 192,000 customers. FINRA found that prior to January 2008, D.A. Davidson did not employ adequate safeguards to protect the security and confidentiality of customer records and information stored in a database housed on a computer Web server with a constant open Internet connection. The unprotected information included customer account numbers, social security numbers, names, addresses, dates of birth and other confidential data. Furthermore, the firm's procedures for protecting that information were deficient in that the database was not encrypted and the firm never activated a password, thereby leaving the default blank password in place.
As a result, in Dec. 25 and 26, 2007, D.A. Davidson's database was compromised when an unidentified third party downloaded confidential customer information through a sophisticated network intrusion. To breach D.A. Davidson's system, the hacker employed a mechanism called "SQL injection," an attack in which computer code is repeatedly inserted into a Web page for the purpose of extracting information from a database. The hacker was able to access and download the affected customers' confidential information. While these attacks were visible on Web server logs, the firm failed to review those logs.
The breach was discovered through an email that was sent by the hacker on Jan.16, 2008, blackmailing the firm. Upon receiving the threat, D.A. Davidson reported the incident to law enforcement and assisted the Secret Service in identifying four members of an international group suspected of participating in the hacking attack of the firm. Three of those individuals have been extradited from Eastern Europe, arrested and are facing charges in federal court in Montana.
FINRA took into consideration the firm's quick response to protect its customers and cooperation with law enforcement authorities and the fact that do date, no customer has suffered any instance of identity theft when assessing the fine in this matter. In settling this matter, the firm neither admitted nor denied the charges, but consented to the entry of FINRA's findings.