BreachExchange mailing list archives
follow-up: Brokerage Firm Fined $375, 000 for Unsecured Data
From: security curmudgeon <jericho () attrition org>
Date: Wed, 14 Apr 2010 08:58:03 +0000 (UTC)
http://www.wired.com/threatlevel/2010/04/brokerage-firm-fined/ Brokerage Firm Fined $375,000 for Unsecured Data By Kim Zetter April 13, 2010 Brokerage firm DA Davidson has agreed to pay a fine of $375,000 for failing to protect confidential client data from Latvian hackers who breached the company in 2007 in an online extortion scheme. The hackers used a SQL injection attack to obtain access to the company.s database on Dec. 25 and 26, 2007. The Financial Industry Regulatory Authority, which announced the fine agreement on Monday, said although the attack activity was reflected in the brokerage.s server logs, administrators failed to examine those logs. The intruders obtained data on about 192,000 customers, according to the press release announcing the fine. (Previous reports indicated that more than 300,000 customer files were stolen). The data included customer account numbers, Social Security numbers, names, addresses, dates of birth and other private information. The company discovered the breach only after receiving an extortion e-mail from one of the hackers on Jan. 16, 2008, which contained an attachment with the records of 20,000 customers as proof of the intrusion. DA Davidson contacted the Secret Service, and the subsequent investigation led to four suspects, three of whom are Latvian nationals, who were extradited from the Netherlands to face charges in Montana. Aleksandrs Hoholko, 30, Jevgenijs Kuzmenko, 26, and Vitalijs Drozdovs, 33, pleaded guilty last month in Montana to making threatening communications and receiving extortion proceeds. They are scheduled to be sentenced in June. The fourth suspect, who called himself Robert Borko (.pdf) in correspondence with the brokerage firm, has not yet appeared in court. [..] _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- follow-up: Brokerage Firm Fined $375, 000 for Unsecured Data security curmudgeon (Apr 16)