BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

follow-up: Brokerage Firm Fined $375, 000 for Unsecured Data

From: security curmudgeon <jericho () attrition org>
Date: Wed, 14 Apr 2010 08:58:03 +0000 (UTC)

http://www.wired.com/threatlevel/2010/04/brokerage-firm-fined/

Brokerage Firm Fined $375,000 for Unsecured Data
By Kim Zetter
April 13, 2010

Brokerage firm DA Davidson has agreed to pay a fine of $375,000 for 
failing to protect confidential client data from Latvian hackers who 
breached the company in 2007 in an online extortion scheme.

The hackers used a SQL injection attack to obtain access to the company.s 
database on Dec. 25 and 26, 2007.

The Financial Industry Regulatory Authority, which announced the fine 
agreement on Monday, said although the attack activity was reflected in 
the brokerage.s server logs, administrators failed to examine those logs. 
The intruders obtained data on about 192,000 customers, according to the 
press release announcing the fine. (Previous reports indicated that more 
than 300,000 customer files were stolen). The data included customer 
account numbers, Social Security numbers, names, addresses, dates of birth 
and other private information.

The company discovered the breach only after receiving an extortion e-mail 
from one of the hackers on Jan. 16, 2008, which contained an attachment 
with the records of 20,000 customers as proof of the intrusion. DA 
Davidson contacted the Secret Service, and the subsequent investigation 
led to four suspects, three of whom are Latvian nationals, who were 
extradited from the Netherlands to face charges in Montana.

Aleksandrs Hoholko, 30, Jevgenijs Kuzmenko, 26, and Vitalijs Drozdovs, 33, 
pleaded guilty last month in Montana to making threatening communications 
and receiving extortion proceeds. They are scheduled to be sentenced in 
June. The fourth suspect, who called himself Robert Borko (.pdf) in 
correspondence with the brokerage firm, has not yet appeared in court.

[..]
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php
Previous By Date Next
Previous By Thread Next

Current thread: