Feeds

Brokerage coughs up $375,000 for website breach

Garden-variety exploit strikes again!

Providing a secure and efficient Helpdesk

US brokerage D.A. Davidson has agreed to pay $375,000 to settle charges that lax security practices allowed criminal hackers from Latvia to pilfer the confidential information of some 192,000 of its customers.

The charges stem from an attack on December 25 and 25, 2007, in which the hackers downloaded the confidential data by exploiting a SQL-injection vulnerability on Davidson's website. The firm only learned of the theft two weeks later, when one of the attackers sent a blackmail message that attached 20,000 customer records as proof their claims were genuine.

Davidson's security was "deficient in that the database was not encrypted and the firm never activated a password, thereby leaving the default blank password in place," according to a press release issued Monday by the Financial Industry Regulatory Authority. The body is a non-governmental regulator that oversees securities firms doing business in the US.

Regulators went on to say that Davidson also failed to employ an intrusion detection system on its network despite an April 2006 recommendation from outside security auditors that one be put in place.

The settlement comes a little more than two years after US prosecutors filed criminal conspiracy, extortion and fraud charges against four men for attacking Davidson's servers and then demanding money in exchange for keeping the breach quiet.

Defendants Aleksandrs Hoholko, Jevgenijs Kuzmenko, and Vitalijs Drozdovs pleaded guilty two weeks ago and are scheduled to be sentenced in June, according to documents filed in US District Court in Montana. The status of a fourth defendant, Robert Borko, was unclear.

Their hack is the second time in recent memory criminals have obtained highly confidential financial information by exploiting a SQL injection vulnerability. Many web masters regard the bugs as little more than a nuisance that have few practical consequences.

TJX hacker Albert Gonzalez was able to breach the the servers of credit card processor Heartland Payment Systems using the same form of attack. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.