Montana Financial Co. Fined for Breach192K Customer Records Taken; $375K Fine Imposed A Montana financial consulting company has been fined $375,000 following a breach that occurred in 2007. More than 190,000 customers had their personal information exposed to hackers.
The D.A. Davidson & Co., of Great Falls, MT, was fined by the Financial Industry Regulatory Authority (FINRA) for failure to protect confidential customer information. An international crime group hacked into the company's server and accessed the customer information of 192,000 customers. FINRA is the non-governmental regulator for all securities firms doing business in the United States.
FINRA says it found that before January 2008 D.A. Davidson didn't have adequate safeguards to protect confidential customer records stored on a database on one of its servers, which was found to have an open Internet connection. The unprotected data included customer account numbers, social security numbers, names, addresses, dates of birth and other confidential data. FINRA says the firm's procedures to protect the information were deficient, the database was not encrypted, and the company never activated a password to protect access to the server, leaving the default blank password in place.
"Broker-dealers must be especially vigilant about protecting its customers' confidential information, which includes ensuring that its technology is sufficient," says FINRA Executive Vice President and Executive Director of Enforcement James S. Shorris in a statement regarding the case. "In this case, the firm placed its database containing confidential customer information on a server that was perpetually exposed to the Internet, but failed to implement basic safeguards to protect that data - even though the firm had been advised before this incident to implement an intrusion detection system."
The company's database was compromised on Dec. 25 and 26, 2007, FINRA says, when an unidentified third party downloaded confidential customer information through a SQL injection attack. The attacks were visible on Web server logs, but the firm failed to review those logs. FINRA also says it found that between April 2006 and October 2007, the firm retained independent auditors and outside security consultants to review and/or audit its network security. The consultant recommended enhancements to the company's security systems. Although the firm implemented the majority of those recommendations, it failed to implement a recommendation, made in April 2006 that it install an intrusion detection system. The firm had not implemented such a system at the time the hack occurred in December 2007.
The breach was finally discovered when an email was sent by the hacker on Jan.16, 2008, attempting to blackmail the firm. D.A. Davidson reported the threat to law enforcement and assisted the Secret Service in identifying four members of an international group suspected of participating in the hacking attack of the firm. Three of the suspects were extradited from Eastern Europe, arrested and face charges in federal court in Montana. So far no customer has suffered any identity theft because of the breach.
For more on financial services data breaches, see the updated timeline of 2010 incidents.