Davidson Companies illegal network intrusion exposes clients
Technorati Tag: Security Breach
Date Reported:
1/30/08
Organization:
Davidson Companies*
*"Davidson Companies is a financial services holding company based in Montana. It includes D.A. Davidson & Co., an investment firm; Davidson Investment Advisors, a money management firm; Davidson Trust Co., a wealth management and trust company; Davidson Fixed Income Management, an investment and money management services firm; and Davidson Travel, a travel agency." - Source InformationWeek story
Contractor/Consultant/Branch:
None
Victims:
Clients and former clients
Number Affected:
226,000
Types of Data:
Names, Social Security numbers, and account numbers and balances
Breach Description:
Davidson Companies announced that a database containing sensitive personal information belonging to clients and former clients was accessed via an "illegal network intrusion".
Reference URL:
Davidson Companies " Important Client Announcement"
Great Falls Tribune online story
InformationWeek news story
Report Credit:
Erin Madison, Great Falls Tribune Business, with a special thanks to "Coop"
a Breach Blog reader
Response:
From the online sources cited above:
Davidson Companies clients and former clients were notified the week of January 28 of an illegal network intrusion, and steps clients should take to protect themselves from identity theft, including enrolling for a credit monitoring product being offered at Davidson's expense for 12 months.
A computer hacker broke into a Davidson Companies database and obtained the names and Social Security numbers of virtually all of the Great Falls financial services company's clients.
The database included information such as account numbers and balances, said Jacquie Burchard, spokeswoman for Davidson Companies. However, the hacker didn't get access to the accounts.
"People's accounts at Davidson are fine," Burchard said. "Their assets are fine."
[Evan] Not really, I think of a Social Security number is an asset, an information asset. Just as important as protecting financial or physical assets is protecting information assets.
The computer hacker accessed information on 226,000 current and former clients, Burchard said.
"With the investigation ongoing, it would be inappropriate to delve into the technical aspects of the security breach," - Burchard
[Evan] No disrespect, but I don't think Jacquie Burchard would be qualified to "delve into the technical aspects".
"Despite our efforts to safeguard client information, a computer hacker using sophisticated techniques illegally accessed a database and obtained access to confidential client information," said William A. Johnstone, Davidson Companies president and CEO
[Evan] I respect Mr. Johnstone for communicating his thoughts about this breach. It demonstrates his understanding that he has a fiduciary responsibility to protect confidential information. I think we would be surprised at how many corporate executives do not understand this simple fact. Remember, terms like "sophisticated" are subjective and depend on perspective.
"All of us at Davidson are acutely aware of the uncertainty, stress and inconvenience associated with the potential compromise of personal information. We are fully committed to helping our clients deal with this unfortunate event as quickly as possible and are adopting measures to further enhance our network security." - Johnstone
The financial services company is temporarily opening call centers and extending branch hours to help answer clients' questions.
Current clients should call .
Former clients should call .
The Great Falls office of D.A. Davidson & Co. will be open for extended hours this week as follows:7 a.m. to 7 p.m. through Friday and 9 a.m. to 4 p.m. Saturday
The computer break-in occurred earlier this month, Burchard said. Authorities investigating the crime asked the company to keep the news extremely confidential during the early stages of the investigation.
This was a "very, very sophisticated hacker," Burchard said. "We don't know where this person is; we don't know who this person is."
[Evan] I speculate (I like to speculate when there is little risk!) that this attack was not as technologically advanced as claimed. How "very, very sophisticated" does an attacker need to be in order to convince another person to click on a link or open a browser. Often what seems to be very sophisticated is often very simple. Does that sound like Confucius?
Davidson Companies has many procedures and policies in place to protect client information, Johnstone added.
The company reportedly hired a penetration testing company last September to assess its IT security and the firm's hackers did not find any holes.
[Evan] If this company was worth a hill of beans, they should have found flaws. I am going to speculate again and say that they are and did. I don't think that this was a typical external hack (attack).
"Obviously, we're enhancing our IT (Information Technology) security systems," Burchard said.
[Evan] Yeah, obviously! ALL of us should ALWAYS be enhancing our security systems. Security is a life cycle discipline that requires constant monitoring and improvement. No destination here.
Law enforcement agencies note that because people are constantly finding new ways to hack into systems, it's an ongoing problem, she said.
Commentary:
I think I speculated more about this breach than I about any other on The Breach Blog. Maybe it’s a Friday thing, and maybe I have a point to make even if my speculation is 180 degress off. I suppose this could have been some uber l337 hack that got past multiple layers of defense such as firewalls, hardened servers, IDS/IPS, etc. (supposing they exist), but I can tell you that if this was the case, this is rare. Why go through all the work, when there are more effective means to access the same information?
A majority of security breaches are the result of simple mistakes, lack of knowledge, laziness, and/or poor common sense.
OK, I am stepping down from my soap box now. Have a nice weekend.
FYI, the Davidson login page is down
Past Breaches:
Unknown
Date Reported:1/30/08
Organization:
Davidson Companies*
*"Davidson Companies is a financial services holding company based in Montana. It includes D.A. Davidson & Co., an investment firm; Davidson Investment Advisors, a money management firm; Davidson Trust Co., a wealth management and trust company; Davidson Fixed Income Management, an investment and money management services firm; and Davidson Travel, a travel agency." - Source InformationWeek story
Contractor/Consultant/Branch:
None
Victims:
Clients and former clients
Number Affected:
226,000
Types of Data:
Names, Social Security numbers, and account numbers and balances
Breach Description:
Davidson Companies announced that a database containing sensitive personal information belonging to clients and former clients was accessed via an "illegal network intrusion".
Reference URL:
Davidson Companies " Important Client Announcement"
Great Falls Tribune online story
InformationWeek news story
Report Credit:
Erin Madison, Great Falls Tribune Business, with a special thanks to "Coop"
a Breach Blog reader
Response:
From the online sources cited above:
Davidson Companies clients and former clients were notified the week of January 28 of an illegal network intrusion, and steps clients should take to protect themselves from identity theft, including enrolling for a credit monitoring product being offered at Davidson's expense for 12 months.
A computer hacker broke into a Davidson Companies database and obtained the names and Social Security numbers of virtually all of the Great Falls financial services company's clients.
The database included information such as account numbers and balances, said Jacquie Burchard, spokeswoman for Davidson Companies. However, the hacker didn't get access to the accounts.
"People's accounts at Davidson are fine," Burchard said. "Their assets are fine."
[Evan] Not really, I think of a Social Security number is an asset, an information asset. Just as important as protecting financial or physical assets is protecting information assets.
The computer hacker accessed information on 226,000 current and former clients, Burchard said.
"With the investigation ongoing, it would be inappropriate to delve into the technical aspects of the security breach," - Burchard
[Evan] No disrespect, but I don't think Jacquie Burchard would be qualified to "delve into the technical aspects".
"Despite our efforts to safeguard client information, a computer hacker using sophisticated techniques illegally accessed a database and obtained access to confidential client information," said William A. Johnstone, Davidson Companies president and CEO
[Evan] I respect Mr. Johnstone for communicating his thoughts about this breach. It demonstrates his understanding that he has a fiduciary responsibility to protect confidential information. I think we would be surprised at how many corporate executives do not understand this simple fact. Remember, terms like "sophisticated" are subjective and depend on perspective.
"All of us at Davidson are acutely aware of the uncertainty, stress and inconvenience associated with the potential compromise of personal information. We are fully committed to helping our clients deal with this unfortunate event as quickly as possible and are adopting measures to further enhance our network security." - Johnstone
The financial services company is temporarily opening call centers and extending branch hours to help answer clients' questions.
Current clients should call .
Former clients should call .
The Great Falls office of D.A. Davidson & Co. will be open for extended hours this week as follows:7 a.m. to 7 p.m. through Friday and 9 a.m. to 4 p.m. Saturday
The computer break-in occurred earlier this month, Burchard said. Authorities investigating the crime asked the company to keep the news extremely confidential during the early stages of the investigation.
This was a "very, very sophisticated hacker," Burchard said. "We don't know where this person is; we don't know who this person is."
[Evan] I speculate (I like to speculate when there is little risk!) that this attack was not as technologically advanced as claimed. How "very, very sophisticated" does an attacker need to be in order to convince another person to click on a link or open a browser. Often what seems to be very sophisticated is often very simple. Does that sound like Confucius?
Davidson Companies has many procedures and policies in place to protect client information, Johnstone added.
The company reportedly hired a penetration testing company last September to assess its IT security and the firm's hackers did not find any holes.
[Evan] If this company was worth a hill of beans, they should have found flaws. I am going to speculate again and say that they are and did. I don't think that this was a typical external hack (attack).
"Obviously, we're enhancing our IT (Information Technology) security systems," Burchard said.
[Evan] Yeah, obviously! ALL of us should ALWAYS be enhancing our security systems. Security is a life cycle discipline that requires constant monitoring and improvement. No destination here.
Law enforcement agencies note that because people are constantly finding new ways to hack into systems, it's an ongoing problem, she said.
Commentary:
I think I speculated more about this breach than I about any other on The Breach Blog. Maybe it’s a Friday thing, and maybe I have a point to make even if my speculation is 180 degress off. I suppose this could have been some uber l337 hack that got past multiple layers of defense such as firewalls, hardened servers, IDS/IPS, etc. (supposing they exist), but I can tell you that if this was the case, this is rare. Why go through all the work, when there are more effective means to access the same information?
A majority of security breaches are the result of simple mistakes, lack of knowledge, laziness, and/or poor common sense.
OK, I am stepping down from my soap box now. Have a nice weekend.
FYI, the Davidson login page is down
Past Breaches:
Unknown
Posts Atom 1.0
Sounds like it was a pretty 1337 hack.
Reply to this
As ex client of D.A.Davidson, there are tons of questions unanswered. Info has it that the records that were hacked were not central records, but rather from an internet-accessible data base. Why would any firm put personal data from over 10-year old (expired) clients on an internet accessible database? Further, they have no system in place for contacting ex-clients who have moved, nor were they overly concerned about ex-clients today, with the comment, "of course, you know our major focus has been on current clients" being echoed more than once. Therefore ex-clients who have moved may not even find out their personal data has been compromised!
Reply to this