FINRA has hit DA Davidson with a $375,000 fine for failing to safeguard confidential client information after a group of criminals hacked into the firm’s computer and got access to data for approximately 192,000 customers.

The Great Falls, Montana-based firm agreed to pay the fine without admitting or denying the findings, according to a FIRNA document. 

In January 2008, DA Davidson used a public facing computer web server that hosted certain web pages of the company behind an external perimeter firewall, FINRA stated. That server was also home to a database containing the customer information even though the web pages didn’t offer clients online transactions. The web pages, FINRA said, were “purely informational.” But the database was on a computer that left it exposed to the Internet and wasn’t encrypted. Nor did the firm activate a protected password.

Prior to the breach—between April 2006 and October 2007—DA Davidson hired independent auditors and outside security consultants to examines its computer security. But even though the firm implemented several it didn’t put in an intrusion detection system that the experts suggested.

Then on Dec. 25 and 26, 2007, an unidentified third party downloaded the client information through “a sophisticated network intrusion,” FINRA stated. DA Davidson learned of the breach when a hacker emailed the firm on Jan. 16, 2008 in an attempt to blackmail the firm. “The perpetrator, who is believed to be part of an international crime group under investigation by the U.S. Secret Service, demanded that the firm pay a sum of money.” 

The hacker breached DA Davidson’s system using an “SQL injection” or a structured query language injection, which is an attack in which a computer code is repeated inserted into a web page in order to extract information from a database.

The hacker got access to the records of approximately 230,000 clients, of which 192,000 were individuals while the rest were the accounts of corporations or other entities.

 The attacks, FINRA said, “were visible on web server logs, however the firm failed to review those logs.” In addition, DA Davidson didn’t have any written procedures in place to review the logs; nor did it have an intrusion detection system.

In response to a query from On Wall Street, DA Davidson gave this explanation: “The firm regularly reviewed the perimeter security logs; however, the hacker’s attacks were not visible on those logs.” In addition, the firm’s spokesperson said DA Davidson had “tested several different intrusion detection systems in 2006/2007 and was in the process of testing an additional system at the time of the attack. The recommendation to install an IDS was not made as a result of the database or server involved in the hacking incident.” Finally, DA Davidson said, “in October 2007, the firm received a audit report from a third-party information technology audit firm stating that the auditor had been unable to breach the firm's external security.”

After the firm got the blackmail threat, it contacted law enforcement and cooperated with authorities. As a result, four members of the hacker group have been indicted and three extradited to the United States. DA Davidson also took down the website and removed sensitive client information from the database. The firm also hired another consultant and added more protections, including encryption software, intrusion detection and another firewall.

DA Davidson also spent $1.3 million on other remedial steps plus settled a class action lawsuit with affected customers. “To date, to the firm’s knowledge, no customer has suffered any instances of identity theft or other actual damages as a result of the information security breach,” FINRA said.

Frances McMorris was named editor-in-chief of ON WALL STREET in February 2008, after serving as executive editor since December 2004. She also created and serves as the host of AdvisorTV, an online video interview show appearing at onwallstreet.com.

From indictments to verdicts and appeals, Ms. McMorris has covered many major, high-profile cases in both federal and state courts as a legal affairs reporter for The Wall Street Journal, The New York Daily News, Newsday and The New York Law Journal. The cases that she has covered include: the seditious conspiracy trial of Sheik Oman Abdel Rahman, the blind Egyptian cleric convicted of being the spiritual mastermind of the 1993 World Trade Center; the constitutional battle over the “Don’t Ask, Don’t Tell” military policy; the Crown Heights riot murder trial; federal racketeering cases against violent gangs; the Long Island pet cemetery trial and several securities fraud and insider trading cases, among others.

The legal issues she has written about are diverse and numerous, ranging from economic espionage to employment discrimination rulings and the first story to report that there is no expectation of privacy for employee emails written in the workplace.

Ms. McMorris is a 1993 graduate of Fordham University School of Law and admitted to the New York and New Jersey bars. She has appeared on the former CNNfn to give expert commentary on trials.

She also served as president of the Newswomen’s Club of New York for three years while working as an assistant managing editor at The Daily Deal in New York.

ON WALL STREET magazine has a circulation of more than 90,000—reaching financial advisors and brokers at the most prestigious brokerage firms who serve high-net-worth and ultra-high-net-worth investors.