FINRA Fines D.A. Davidson & Co. $375,000 for Failure to Protect Confidential Customer Information
The Financial Industry Regulatory Authority (FINRA) issued the following press release today:
The Financial Industry Regulatory Authority (FINRA) announced today that it has fined D.A. Davidson & Co., of Great Falls, MT, $375,000 for its failure to protect confidential customer information by allowing an international crime group to improperly access and hack the confidential information of approximately 192,000 customers.
FINRA found that prior to January 2008, D.A. Davidson did not employ adequate safeguards to protect the security and confidentiality of customer records and information stored in a database housed on a computer Web server with a constant open Internet connection. The unprotected information included customer account numbers, social security numbers, names, addresses, dates of birth and other confidential data. Furthermore, the firm’s procedures for protecting that information were deficient in that the database was not encrypted and the firm never activated a password, thereby leaving the default blank password in place.
“Broker-dealers must be especially vigilant about protecting its customers’ confidential information, which includes ensuring that its technology is sufficient,” said FINRA Executive Vice President and Executive Director of Enforcement James S. Shorris. “In this case, the firm placed its database containing confidential customer information on a server that was perpetually exposed to the Internet, but failed to implement basic safeguards to protect that data – even though the firm had been advised before this incident to implement an intrusion detection system.”
FINRA found that on Dec. 25 and 26, 2007, D.A. Davidson’s database was compromised when an unidentified third party downloaded confidential customer information through a sophisticated network intrusion. To breach D.A. Davidson’s system, the hacker employed a mechanism called “SQL injection,” an attack in which computer code is repeatedly inserted into a Web page for the purpose of extracting information from a database. The hacker was able to access and download the affected customers’ confidential information. While these attacks were visible on Web server logs, the firm failed to review those logs.
FINRA also found that between April 2006 and October 2007, the firm had retained independent auditors and outside security consultants to review and/or audit its network security. During the course of those consultations, the firm received recommendations for enhancements to its security systems. Although the firm implemented the majority of those recommendations, it failed to implement a recommendation, made in or about April 2006, that it install an intrusion detection system. The firm had not implemented such a system at the time the hack occurred in December 2007.
The breach was discovered through an email that was sent by the hacker on Jan.16, 2008, blackmailing the firm. Upon receiving the threat, D.A. Davidson reported the incident to law enforcement and assisted the Secret Service in identifying four members of an international group suspected of participating in the hacking attack of the firm. Three of those individuals have been extradited from Eastern Europe, arrested and are facing charges in federal court in Montana.
FINRA took into consideration the firm’s quick response to protect its customers and cooperation with law enforcement authorities and the fact that do date, no customer has suffered any instance of identity theft when assessing the fine in this matter.
In settling this matter, the firm neither admitted nor denied the charges, but consented to the entry of FINRA’s findings.
Investors can obtain more information about, and the disciplinary record of, any FINRA-registered broker or brokerage firm by using FINRA’s BrokerCheck. FINRA makes BrokerCheck available at no charge. In 2009, members of the public used this service to conduct 18.5 million reviews of broker or firm records. Investors can access BrokerCheck at www.finra.org/brokercheck or by calling (800) 289-9999.
FINRA is the largest non-governmental regulator for all securities firms doing business in the United States. FINRA is dedicated to investor protection and market integrity through effective and efficient regulation and complementary compliance and technology-based services. FINRA touches virtually every aspect of the securities business – from registering and educating all industry participants to examining securities firms, writing and enforcing rules and the federal securities laws, informing and educating the investing public, providing trade reporting and other industry utilities, and administering the largest dispute resolution forum for investors and registered firms. For more information, please visit our Web site at www.finra.org.
A class-action lawsuit against D.A. Davidson settled in November 2009.