Hacking of LPL Financial’s BranchNet System a Result of “Reckless Disregard”
Earlier this month, LPL Financial agreed to pay a $275,000 penalty to the Securities and Exchange Commission for failing to fix security vulnerabilities that were discovered in a 2006 internal audit of the company’s security controls. The audit identified that the security controls in LPL’s BranchNet trading system were inadequate, and recommended remediation.
After receiving the internal audit, and after months of consideration regarding the cost/benefit of the security remediation, LPL’s Executive Risk Committee doesn’t appear to have ever reached a decision on whether to fix the problems in BranchNet. While they were deliberating, accounts of LPL’s customers were accessed to make unauthorized trades over an 8-month period beginning in July 2007.
In their cease-and-desist order, the SEC says that as a result of LPL Financial’s failure to take immediate corrective action, the company was “in reckless disregard of the regulatory requirements.” LPL accepted the censure and fine without admitting or denying the SEC’s findings.
Interestingly, the SEC notes that LPL detected the unauthorized trading attempts, and was able to block most of them. However, if they were aware of the intrusion, how did they allow it to continue for 8 months?
The password policies of BranchNet read like a case study in what should be avoided with passwords:
Regarding password complexity, LPL’s internal auditors identified the following weaknesses concerning the BranchNet application: (1) RR passwords did not meet industry standards for so-called “strong” passwords, because, among other things, the passwords had no requirements on length or alphanumeric/special character combinations; (2) passwords were not set to expire after a certain period of time; (3) users could not change their own passwords; and (4) there was no automatic lockout feature related to unsuccessful login attempts. Additionally, over 300 LPL information technology employees had access to a list of BranchNet passwords, and a number of former employees likely had access to such a list before leaving the firm.
With respect to BranchNet session inactivity, LPL’s internal auditors observed that the automatic session timeout was set at eight hours, which LPL’s internal auditors believed was significantly longer than the timeout periods used by other financial services firms for similar applications.
This is for an Internet-facing application that manages accounts and trades for customers of a company with more than 1 million customers and 282 billion dollars in assets under management. Based on the description above, it would appear that a user could set a password equal to “a”, and the system would accept it.
As I researched a bit more, I found this interesting tidbit from LPL’s customer loss letter at BreachBlog:
In March 2008, LPL hired Marc Loewenthal as SVP - Chief Security/Privacy Officer, a newly created position at LPL.
Chief Security Officer is a newly created position at LPL Financial? I’d ask who runs their Information Security department, but I’d be afraid that I’d hear they don’t have one.
LPL also began reporting breaches related to laptop loss incidents immediately after the accounts on BranchNet were compromised. I’d venture to guess that they were unaware that data losses needed to be reported until they started working on this major incident. PogoWasRight.org shows 5 laptop loss incidents reported in the last 4 months.
Although the SEC’s action only covered the breach that occurred between July 2007 and February 2008, PogoWasRight reports that another password was compromised in May 2008 resulting in the loss of data of 185 individuals.
It’s pretty shocking to me that a financial company with $2.7 billion in annual revenue can have security issues anywhere close to the problems at LPL Financial. I wish Mr. Loewenthal great success as the new CSO, and I hope he knows what he’s in for.
The SEC’s order is here (PDF): http://www.sec.gov/litigation/admin/2008/34-58515.pdf
(Post updated on September 23 to note the “reckless disregard” comment from the SEC)
If you enjoyed this post, please consider leaving a comment or subscribing to our RSS feed to get future articles delivered to your feed reader. You can also click "Buzz Up" or "ShareThis" above to share this post via email or social networking sites.
Comments
[...] I was writing about the hack of LPL Financial’s BranchNet system last week, I couldn’t help but wonder if the Securities and Exchange Commission would have been [...]
[...] the SEC recently censured LPL Financial for not protecting their BranchNet trading system from unauthorized access, I wondered how LPL’s customers felt about the company and the safety of their personal [...]
[...] Thompson over at CurbRisk.com has posted a commentary on LPL Financial and the SEC’s actions in fining them over their security failures. If you [...]