FINRA has hit DA Davidson with a $375,000 fine for failing to safeguard confidential client information after a group of criminals hacked into the firm’s computer and got access to data for approximately 192,000 customers.

The Great Falls, Montana-based firm agreed to pay the fine without admitting or denying the findings, according to a FIRNA document. 

In January 2008, DA Davidson used a public facing computer web server that hosted certain web pages of the company behind an external perimeter firewall, FINRA stated. That server was also home to a database containing the customer information even though the web pages didn’t offer clients online transactions. The web pages, FINRA said, were “purely informational.” But the database was on a computer that left it exposed to the Internet and wasn’t encrypted. Nor did the firm activate a protected password.

Prior to the breach—between April 2006 and October 2007—DA Davidson hired independent auditors and outside security consultants to examines its computer security. But even though the firm implemented several it didn’t put in an intrusion detection system that the experts suggested.

Then on Dec. 25 and 26, 2007, an unidentified third party downloaded the client information through “a sophisticated network intrusion,” FINRA stated. DA Davidson learned of the breach when a hacker emailed the firm on Jan. 16, 2008 in an attempt to blackmail the firm. “The perpetrator, who is believed to be part of an international crime group under investigation by the U.S. Secret Service, demanded that the firm pay a sum of money.” 

The hacker breached DA Davidson’s system using an “SQL injection” or a structured query language injection, which is an attack in which a computer code is repeated inserted into a web page in order to extract information from a database.

The hacker got access to the records of approximately 230,000 clients, of which 192,000 were individuals while the rest were the accounts of corporations or other entities.

 The attacks, FINRA said, “were visible on web server logs, however the firm failed to review those logs.” In addition, DA Davidson didn’t have any written procedures in place to review the logs; nor did it have an intrusion detection system.

In response to a query from On Wall Street, DA Davidson gave this explanation: “The firm regularly reviewed the perimeter security logs; however, the hacker’s attacks were not visible on those logs.” In addition, the firm’s spokesperson said DA Davidson had “tested several different intrusion detection systems in 2006/2007 and was in the process of testing an additional system at the time of the attack. The recommendation to install an IDS was not made as a result of the database or server involved in the hacking incident.” Finally, DA Davidson said, “in October 2007, the firm received a audit report from a third-party information technology audit firm stating that the auditor had been unable to breach the firm's external security.”

After the firm got the blackmail threat, it contacted law enforcement and cooperated with authorities. As a result, four members of the hacker group have been indicted and three extradited to the United States. DA Davidson also took down the website and removed sensitive client information from the database. The firm also hired another consultant and added more protections, including encryption software, intrusion detection and another firewall.

DA Davidson also spent $1.3 million on other remedial steps plus settled a class action lawsuit with affected customers. “To date, to the firm’s knowledge, no customer has suffered any instances of identity theft or other actual damages as a result of the information security breach,” FINRA said.