The Financial Industry Regulatory Authority (FINRA) has fined brokerage firm Davidson & Co. $375,000 over a 2007 data breach in an action that highlights the growing attention regulators are paying to the controls companies have in place for protecting customer data.
The breach resulted in the exposure of customer names, account numbers, addresses, social security numbers, dates of birth and other confidential information belonging to about 192,000 customers.
The attack stemmed from a SQL injection vulnerability that allowed unknown hackers to break into a Davidson database server containing the data.
The company learned of the breach in January 2008 when it received an extortion note from one of the perpetrators seeking money in return for their not publicly releasing the stolen data.
In a statement announcing the fine, FINRA said the breach had resulted from Davidson's failure to implement well-known and recommended security measures for protecting customer data. It said that Davidson had failed to encrypt sensitive customer data, and had kept its customer database on a Web server with a default vendor password and a "constant open Internet connection."
The regulatory body also faulted Davidson for allegedly failing to review network logs that would have revealed the intrusion and the illegal access. FINRA noted that Davidson had not acted on a key recommendation from a third-party auditor in 2006 calling on the company to implement a network intrusion detection system.
In determining the amount of the fine the FINRA took into account Davidson's quick response to the situation and its cooperation with law enforcement once it learned of the attack, the statement said. The fact that the stolen data has not yet been misused was also taken into account, it said.
In e-mailed comments, a spokeswoman from Davidson said the regulatory body's statement left out some "very pertinent information." Shortly before the breach, a third-party auditor had certified that it had been unable to penetrate Davidson's external security controls, the spokeswoman said.
She maintained that at the time of the incident at least, the techniques used by the hackers to break into its systems were "relatively sophisticated and new at the time."
"Davidson has settled with regulators because we believe this is the most efficient way to put the matter behind us and focus on what's most important -- the present and future needs of our clients," the spokeswoman said.
She insisted that the company had extensive security procedures in place at the time of the intrusion and noted that the database server had been protected by a firewall.
Davidson had also "regularly reviewed" perimeter security logs prior to the incident but did not see the attacks because it did not show up on any logs, she said. Davidson was also in the process of testing an intrusion detection system at the time it was breached, she added.
The settlement between FINRA and Davidson comes at a time when enterprise security controls are coming under increasing scrutiny from customers, courts and regulators. Several cases are currently pending in courts around the country involving companies that have been hit with lawsuits for failing to demonstrate due diligence on information security matters.
Last September, the U.S. District Court for the Northern District of Illinois allowed a couple whose home equity loan account was looted to bring a negligence claim against Citizens Financial Bank after determining the bank had not employed adequate controls.
In Michigan, a manufacturing company that was robbed of more than $550,000 has sued its financial institution for not doing enough to protect its money.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at 
@jaivijayan or subscribe to Jaikumar's RSS feed 
. His e-mail address is jvijayan@computerworld.com.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
