Company Failed to Secure Database, FINRA Fined $375,000

FINRA, the Financial Industry Regulatory Authority, on April 12, 2010, announced that it has charged $375,000 to D.A. Davidson & Co., of Great Falls, MT. The accusation came after the company failed to guard confidential information of its customers by permitting an international crime group to offensively access and hack the sensitive details of around 192,000 customers.

FINRA said that the company did not take adequate precautions to defend the safety and privacy of customer information and records that were stored in a database stored on a Web server of the computer with a steady open Internet connection.

As reported, on Dec 25 and 26 in the year 2007, FINRA noted that the database of D.A. Davidson was hacked when an unknown third party downloaded private details of the customers via sophisticated network invasion.

Later on, the hacker intruded the system of D.A. Davidson using SQL injection. It is an attack wherein a computer code is time and again inserted into a Web page to mine personal data from a database. The hacker successfully accessed and downloaded the confidential information of affected customers.

Then, the company came to know about the breach on January 16, 2008 when an attacker e-mailed it in an effort to blackmail it. The vulnerable information encompassed names, dates of birth, addresses, customer social security numbers, account numbers, and other confidential information.

The report asserts that the company's measures for defending that data were not appropriate in the sense that it did not encrypted the database, and it never enforced a password, hence leaving default blank password in position.

James S. Shorris, FINRA Executive Vice President and Executive Director of Enforcement, said that the Broker-dealers should be particularly watchful about defending the sensitive information of its customers, giving special stress on ensuring sufficient technology do deal with the data security issues, as per the news published by pr-inside.com on April 12, 2010.

He also said that D.A. Davidson failed to execute basic precautions to protect that information, although it was advised prior to this incident to put an intrusion detection system in place.

Related article: Companies Should Report Cybercrime

» SPAMfighter News - 4/23/2010