Exclusive: Anatomy Of A Brokerage IT Meltdown

[InfoSec News <alerts () infosecnews org>]

http://www.informationweek.com/security/attacks/exclusive-anatomy-of-a-brokerage-it-melt/240008569

By Mathew J. Schwartz
InformationWeek
October 08, 2012

The network slowdown was one of the first clues that something was amiss 
at GunnAllen Financial, a now defunct broker-dealer whose IT problems 
were only a symptom of widespread mismanagement and deeper misconduct at 
the firm.

It was the spring of 2005. Over a period of roughly seven business days, 
traffic had slowed to a crawl at the Tampa, Fla.-based firm, which had 
outsourced its IT department to The Revere Group. GunnAllen's acting 
CIO, a Revere Group partner, asked a member of the IT team to 
investigate.

Dan Saccavino, a former Revere Group employee who at the time served at 
GunnAllen as the IT manager in charge of the help desk, laptops, and 
desktops, says he and another network engineer eventually pinpointed the 
cause of the slowdown: A senior network engineer had disabled the 
company's WatchGuard firewalls and routed all of the broker-dealer's IP 
traffic--including trades and VoIP calls--through his home cable modem. 
As a result, none of the company's trades, emails, or phone calls were 
being archived, in violation of Securities and Exchange Commission 
regulations.

Despite the fact that at least five people at The Revere Group knew 
about the engineer's action, it's unclear whether it was reported at the 
time to GunnAllen or regulators. The SEC didn't reference the incident 
in a subsequent announcement about a settlement with GunnAllen for 
unrelated privacy and data security violations, and interviews with 
former Revere Group employees reveal that regulators may have known 
about only a fraction of the data security failures at the firm.

What follows is a chronicle of one firm's myriad IT and other missteps 
over a period of at least four years, as related by former employees and 
various official documents. It's a cautionary tale of what happens when 
a company tosses all IT responsibility over a wall and rarely peeks 
back. It also reveals what happens when an IT outsourcing vendor gets in 
over its head, and it points to the failures of regulators to identify 
and clean up a corporate mess on a grand scale.

While these missteps go back as far as seven years, they have continuing 
relevance today in the context of how businesses oversee outsourcing, 
information security, regulatory, and employee matters.

[...]


--
Get your CEH, CISSP or ISSMP with ExpandingSecurity.com Live OnLine classes that will not wreck your schedule.
Come to a free class and see how good our program really is. Free weekly PainPill: 
http://www.expandingsecurity.com/PainPill