The Financial Industry Regulatory Authority (FINRA) has fined a Montana financial-services firm for failing to protect confidential customer data when criminal hackers used SQL injection to access the records of 192,000 customers.
According to FINRA, D.A. Davidson & Co.'s database containing sensitive customer records was compromised on Dec. 25 and Dec. 26 in 2007 when an intruder used a SQL injection attack to extract information. The Great Falls-based firm failed to protect the database by placing it on a Web server with a constant open Internet connection, not encrypting data, and using a default blank password, FINRA said.
The attacks were visible on Web server logs, but D.A. Davidson failed to review the logs, the regulator said. The breach was discovered after the intruder sent an email on Jan. 16, 2008 that tried to blackmail the firm.
The firm hadn't implemented an intrusion detection system, despite a recommendation to do so by independent security consultants months before the breach, FINRA said.
After receiving the email threat, D.A. Davidson immediately called law enforcement and helped the Secret Service to identify four individuals suspected in the hacking scheme, according to FINRA. The regulator said it took the firm's cooperation with law enforcement and the fact that no customers have suffered from identity theft as a result of the breach into account in assessing the fine.