On Monday, the Financial Industry Regulatory Authority (FINRA) announced that brokerage firm D.A. Davidson & Co. had consented to the imposition of a $375,000 fine for lax security measures that allowed hackers working for an “international crime group” to obtain personal information on thousands of customers.
The breach itself occurred in December 2007 when hackers used a “SQL injection” attack to obtain data on over 100,000 Davidson’s customers from the firm’s online account system. (FINRA’s announcement alleges that the breach affected 192,000 customers, but court filings and the hackers’ own claims put the number as high as 300,000). Davidson remained unaware of the breach until January 2008, when they received an email from Robert Borko, an Eastern European man, who demanded that Davidson pay him $80,000 for the return of the data and a “security consultation.” Borko suggested in broken English that Davidson did “not want to involve FBI here and we can have agreement like businesman.”
Davidson instead worked with the U.S. Secret Service to snare the hackers / “security consultants” behind the breach. Ultimately, this led to the indictment of not only Borko, but also Aleksandrs Hoholko, Jevgenijs Kuzmenko and Vitalkijs Drozdovs, three Latvian men who attempted to pick up Davidson’s blackmail payment in a Western Union in the Netherlands. Hoholko, Kuzmekno and Drozdovs were arrested in February 2008 by the Netherlands High Tech Crime Unit and extradited to the United States, where they have pled guilty to extortion charges. [These and other colorful details of the breach and blackmail attempt can be pulled from the filings in the criminal case against the Latvian men, including the defendant’s motion to dismiss (.pdf) and the government’s response (.pdf).]
Davidson spent $1.3 million on credit monitoring for its customers and settled a class action last year by agreeing to pay up to $1 million for any harm to its customers [see the Davidson settlement site]. At present, Davidson reports that no customer has been the victim of identity theft as a result of the intrusion.
According to the FINRA press release and the parties’ April 9, 2010 letter of consent (.pdf), FINRA claims that Davidson failed to adopt the minimum security measures required by Regulation S-P, when it made its customer database available over the Internet. In particular, FINRA found that Davidson violated Reg S-P because the firm:
- did not encrypt the customer database;
- did not review web server logs which identified the SQL injection attacks;
- did not regularly review perimeter security logs (even though “the attacks were not visible on those logs”);
- did not have any written procedures in place for the review of web server logs;
- did not have an intrusion detection system in place; and
- did not have any written procedures “setting forth an information security program designed to respond to intrusions.”
FINRA specifically found it a compelling that that Davidson had retained independent security consultants in 2006 and 2007 and implemented the majority of the consultants’ recommendations, but had failed to put in place the recommended intrusion detection system. Even without the system, the security consultants were apparently unable to breach Davidson’s security.
Regulated broker-dealers and other financial institutions subject to Regulation S-P or other Gramm Leach Bliley Act (GLBA) regulations, including the FTC’s Safeguards Rule, should take note of the alleged violations in this case. Regulated entities with online customer accounts should consider whether they have implemented intrusion detection systems, routinely monitor web server logs, and have adopted written incident response procedures.