The Financial Industry Regulatory Authority fined D.A. Davidson & Co. $375,000 for failing to protect confidential customer information that hackers stole from its computer systems in late 2007, but credited the firm for its response to customers after it learned of the breach and for cooperating with criminal law enforcement agencies.
FINRA announced the settlement yesterday. The Great Falls, Mont.-based firm agreed to pay the fine without admitting or denying FINRA’s findings, which revealed that some 230,000 client accounts were breached, 192,000 of which were for individual customers. The rest were corporate and other types of accounts, FINRA said.
The self-regulator found that prior to January 2008, Davidson did not have adequate safeguards to protect the security and confidentiality of customer records and information stored in a database housed on the same computer that also hosted its public Web site. As a result, hackers were able to access the database using a “SQL injection” attack in which computer code is repeatedly inserted into a Web page to extract information from a database. Davidson’s database was not encrypted or protected with a password.
The customer information was compromised on Dec. 25 and 26, 2007, though the firm only learned of the breach when one of the hackers attempted to blackmail it in an e-mail sent on Jan. 16, 2008, FINRA said. While Davidson had previously retained independent auditors and outside security consultants to review and audit its network security, at least one of their recommendations, the deployment of intrusion detection software, went unheeded.
“Broker-dealers must be especially vigilant about protecting its customers’ confidential information, which includes ensuring that its technology is sufficient,” said FINRA executive vice president and executive director of enforcement James Shorris. “In this case, the firm placed its database containing confidential customer information on a server that was perpetually exposed to the Internet, but failed to implement basic safeguards to protect that data — even though the firm had been advised before this incident to implement an intrusion detection system.”
Jacquie Burchard, a spokesman for Davidson, said the firm believes the settlement “is the most efficient way to put the matter behind us and focus on the needs of our clients.” Specifically, FINRA found that Davidson violated Rule 30 of the Securities and Exchange Commission’s Regulation S-P on the protection of customer information. It requires firms to adopt written policies and procedures to address administrative, technical, and physical safeguards for protecting customer data.
While FINRA found that the firm regularly reviewed “perimeter security” logs, the attacks were not visible on those logs. They were visible on Web server logs, however the firm failed to review them and did not have written procedures to ensure their review. Even if the firm had detected the breach, it did not have written procedures outlining an information security program designed to respond to such intrusions or to protect confidential customer information, FINRA said.
But it credited Davidson for taking down its Web site after learning of the breach, issuing a public statement and reporting the incident to law enforcement. It also was credited for taking other steps such as hiring an outside electronic security adviser and creating a $1.3 million plan to subscribe affected customers for two years to a credit-monitoring service.
In a settlement of a class action reached last year with some affected customers, the firm agreed to provide up to $1 million to reimburse for losses, though it is not aware of any customer that has suffered from identity theft or any actual damages as a result of the breach, FINRA said.
As part of a criminal investigation into the hacking, four Latvian suspects were indicted by a federal grand jury in March 2008. Of the four, three were extradited to the U.S. last year and a fourth is still believed to be at large.
