NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Attrition Dataloss> 2010-04

[Dataloss] follow-up: Brokerage Firm Fined $375, 000 for Unsecured Data

From: security curmudgeon (jerichoattrition.org)
Date: Wed Apr 14 2010 - 03:58:03 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.wired.com/threatlevel/2010/04/brokerage-firm-fined/

Brokerage Firm Fined $375,000 for Unsecured Data
By Kim Zetter
April 13, 2010

Brokerage firm DA Davidson has agreed to pay a fine of $375,000 for
failing to protect confidential client data from Latvian hackers who
breached the company in 2007 in an online extortion scheme.

The hackers used a SQL injection attack to obtain access to the company.s
database on Dec. 25 and 26, 2007.

The Financial Industry Regulatory Authority, which announced the fine
agreement on Monday, said although the attack activity was reflected in
the brokerage.s server logs, administrators failed to examine those logs.
The intruders obtained data on about 192,000 customers, according to the
press release announcing the fine. (Previous reports indicated that more
than 300,000 customer files were stolen). The data included customer
account numbers, Social Security numbers, names, addresses, dates of birth
and other private information.

The company discovered the breach only after receiving an extortion e-mail
from one of the hackers on Jan. 16, 2008, which contained an attachment
with the records of 20,000 customers as proof of the intrusion. DA
Davidson contacted the Secret Service, and the subsequent investigation
led to four suspects, three of whom are Latvian nationals, who were
extradited from the Netherlands to face charges in Montana.

Aleksandrs Hoholko, 30, Jevgenijs Kuzmenko, 26, and Vitalijs Drozdovs, 33,
pleaded guilty last month in Montana to making threatening communications
and receiving extortion proceeds. They are scheduled to be sentenced in
June. The fourth suspect, who called himself Robert Borko (.pdf) in
correspondence with the brokerage firm, has not yet appeared in court.

[..]
_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]