Brokerage firm DA Davidson has agreed to pay a fine of $375,000 for failing to protect confidential client data from Latvian hackers who breached the company in 2007 in an online extortion scheme and the three have pleaded guilty in Montana.
The hackers used a SQL injection attack to obtain access to the company’s database on Dec. 25 and 26, 2007.
The Financial Industry Regulatory Authority, which announced the fine agreement on Monday, said although the attack activity was reflected in the brokerage’s server logs, administrators failed to examine those logs. The intruders obtained data on about 192,000 customers, according to the press release announcing the fine. (Previous reports indicated that more than 300,000 customer files were stolen). The data included customer account numbers, Social Security numbers, names, addresses, dates of birth and other private information.
The company discovered the breach only after receiving an extortion e-mail from one of the hackers on Jan. 16, 2008, which contained an attachment with the records of 20,000 customers as proof of the intrusion. DA Davidson contacted the Secret Service, and the subsequent investigation led to four suspects, three of whom are Latvian nationals, who were extradited from the Netherlands to face charges in Montana. In a statement released yesterday by the U.S. Attorney for Montana, the three Latvians pleaded guilty to receipt of extortion proceeds.
More: Wired Magazine
Three Plead Guilty in Plot to Extort DA Davidson - Financial Planning
The United States Department of Justice - United States Attorney's Office