Prior to January 2008, D.A. Davidson did not employ adequate safeguards to protect the security and confidentiality of customer records and information stored in a database housed on a computer Web server with a constant open Internet connection. The unprotected information included customer account numbers, social security numbers, names, addresses, dates of birth and other confidential data. Furthermore, the firm's procedures for protecting that information were deficient in that the database was not encrypted and the firm never activated a password, thereby leaving the default blank password in place.
On 25 and 26 December 2007, D.A. Davidson's database was compromised when an unidentified third party downloaded confidential customer information through a sophisticated network intrusion. To breach D.A. Davidson's system, the hacker employed a mechanism called "SQL injection," an attack in which computer code is repeatedly inserted into a Web page for the purpose of extracting information from a database. The hacker was able to access and download the affected customers' confidential information. While these attacks were visible on Web server logs, the firm failed to review those logs.
Between April 2006 and October 2007, the firm had retained independent auditors and outside security consultants to review and/or audit its network security. During the course of those consultations, the firm received recommendations for enhancements to its security systems. Although the firm implemented the majority of those recommendations, it failed to implement a recommendation, made in or about April 2006, that it install an intrusion detection system. The firm had not implemented such a system at the time the hack occurred in December 2007.
The breach was discovered through an email that was sent by the hacker on 16 January 2008, blackmailing the firm. Upon receiving the threat, D.A. Davidson reported the incident to law enforcement and assisted the Secret Service in identifying four members of an international group suspected of participating in the hacking attack of the firm. Three of those individuals have been extradited from Eastern Europe, arrested and are facing charges in federal court in Montana.
FINRA took into consideration the firm's quick response to protect its customers and cooperation with law enforcement authorities and the fact that do date, no customer has suffered any instance of identity theft when assessing the fine in this matter.
IT security risk is quite high today. Recently SFC also issued a circular on IT management to all licensed corporations, suggesting some control techniques and procedures in respect of the following key ideas:
- Information security policy;
- Access control;
- Encryption;
- Change management;
- User activities monitoring; and
- Data backup and continuity planning
No comments:
Post a Comment