A SQL injection attack successfully breached the brokerage firm Davidson & Co in 2007 and exposed nearly 200K customer records.
Investigators followed a trail that led to the arrest of three Latvians in the Netherlands. The suspects allegedly were to pick up money from the company in an extortion plot in which D.A. Davidson initially was advised to send the money to Russia.
The Financial Industry Regulatory Authority (FINRA) has just announced a fine of $375K with Davidson to settle the matter.
Davidson had argued that the attack was “new at the time” and “relatively sophisticated”. They also claimed extensive security procedures in place during the intrusion such as “regular review” of logs for the firewall protecting the breached database. Davidson hired a third-party auditor just before the breach who was unable to penetrate. The regulators countered that an audit a year prior had recommended a network intrusion detection system but it had not been installed. The regulators also faulted Davidson for not encrypting the database information, for leaving the database with a default vendor password on a web server that was connected directly to the Internet.
Taken altogether, Davidson’s claims about sophistication and attacker stealth pale in comparison to the apparent lack of network intrusion detection in 2007, lack of proper segmentation of the database and use of a default password.
Clearly regulators and and the law (e.g. cases in Illinois and Michigan) are turning up the heat on information security management.
Hear more details about why this breach is significant, as well as others, in my Top Ten Breaches webcast for the RSA Conference next week.