In January 2008, the Davidson Companies, a financial services holding company, announced that a database containing current and past customer records had been hacked during a SQL injection attack. On April 14, 2010—more than two years after the network intrusion—the Financial Industry Regulatory Authority (FINRA) fined the company $375,000 for the breach.
In a recent press release FINRA found that the company “did not employ adequate safeguards to protect the security and confidentiality of customer records and information stored in a database housed on a computer Web server with a constant open Internet connection.” FINRA reached this conclusion despite evidence that the company had conducted an independent network security audit prior to the breach and had implemented most of the auditor’s recommendations. As reported by Thomas Claburn of InformationWeek after the 2008 announcement of the breach, the company reportedly hired a penetration testing company last September to assess its IT security and the firm’s hackers did not find any holes. Unfortunately, however, the company did not implement a recommended intrusion detection system that could have mitigated the online attack.
After learning of the intrusion, the company took steps to notify and protect those whose information was stolen in the network intrusion, including notifying law enforcement and cooperating in the criminal investigation. FINRA took into account the company’s actions and the fact that no customers or former customers actually suffered any instance of identity theft when determining whether to impose a penalty. Ultimately, however, the company still faced a stiff penalty for failing, in FINRA’s opinion, to take appropriate measures to protect the personal information stored on its computer network.