<

KRTV News

Apr 13, 2010 6:37 PM by KRTV News

D.A. Davidson fined $375K; Latvian hackers plead guilty

A security breach at D.A. Davidson has led to the company being fined $375,000 by the Financial Industry Regulatory Authority.

In December 2007, the records of 192,000 customers of the Great Falls-based company were accessed by hackers; the fine is for failing to protect those customers.

To date, no Davidson clients have had their information used illegally.

In handing down the penalty, the regulator cited a recommendation from security consultants to install an intrusion detection system.

Jackie Burchard with D.A. Davidson tells us that shortly before the hackers accessed the records, a third-party company checked Davidson's external security and was unable to breach the system. Burchard also said that D.A. Davidson had a variety of security systems in place when the hackers accessed the files.

Three individuals from Latvia were arrested and recently pled guilty to receipt of extortion proceeds; they're scheduled for sentencing in June.

The press release below from the U.S. Attorney's office details the guilty plea from the three men.

The United States Attorney’s Office announced that during a federal court session in Helena on March 30, 2010, before Senior U.S. District Judge Charles C. Lovell, ALEKSANDRS HOHOLKO, age 30, JEVGENIJS KUZMENKO, age 26, and VITALIJS DROZDOVS, age 33, residents of Riga, Latvia, pled guilty to receipt of extortion proceeds. Sentencing has been set for June 16, 2010. They are currently detained.

In an Offer of Proof filed by Assistant U.S. Attorneys Michael S. Lahr and Ryan M. Archer, the government stated it would have proved at trial the following:

Between December 20, 2007, and January 11, 2008, John Doe effected a series of unauthorized intrusions into the D.A. Davidson (“Davidson”) computer system and stole personal and/or financial account information from thousands of customers. John Doe demanded $80,000 in exchange for disclosing security vulnerabilities and destroying any confidential information stolen from Davidson’s computer system.

The United States Secret Service (“USSS”), in conjunction with Davidson, negotiated with John Doe in an effort to determine his location and identity. From approximately February 8, 2008, to February 18, 2008, the USSS negotiated with John Doe for the delivery of money to the Netherlands through Western Union transfers. John Doe specifically identified Aleksandrs Hoholko (“HOHOLKO”) and Jevgenijs Kuzmenko (“KUZMENKO”) as the individuals to pick up the money.

John Doe designated KUZMENKO as the person who would pick up a Western Union transfer in the Netherlands on February 14, 2008. The transfer did not go through because there was a hold placed on it, and the value was not as much as it was supposed to be. On February 15, 2008, a second transfer was sent to the Netherlands and picked up by HOHOLKO. He received $1,500 from Western Union in Eindhoven and provided his Latvian passport as identification.

On February 18, 2008, HOHOLKO attempted to pick up a second transfer in Eindhoven. Agents of the Netherlands High Tech Crime Unit observed HOHOLKO attempting to pick the money up and arrested him. Agents also arrested Vitalijs Drozdovs (“DROZDOVS”) who drove HOHOLKO to the Western Union. Officers discovered a firearm and money transfer receipts in the vehicle. Dutch law enforcement then went to the apartment where DROZDOVS and HOHOLKO were staying and discovered KUZMENKO residing there as well. Agents recovered DROZDOVS’ cell phone which had a text message on it referring to one of the Western Union transfers from Davidson to the Netherlands.

Each defendant made a statement to Dutch agents when they were questioned in the Netherlands. Each of them admitted picking up money, although they denied criminal involvement. HOHOLKO and KUZMENKO explained that “Vitaliy” would receive a text message with instructions on when and where to pick up money. They would then receive the money and give it back to Vitaliy. They said they did not know his last name. HOHOLKO said that he would sometimes give the money to someone on the street that he did not know. Both HOHOLKO and KUZMENKO said that they did not know who sent the messages or who received the money. KUZMENKO further claimed that he did not know who bought his ticket to the Netherlands and never knew HOHOLKO’s last name because he was a comrade and “you do not ask a comrade for a last name.”

DROZDOVS said that he received text messages with instructions to pick up money, but claimed he did not know who sent them. He said that once a week he would give the money to the driver of a bus from the Netherlands to Riga, Latvia. Upon giving it to the bus driver, DROZDOVS would write an 8-digit number on the envelope and then send that number to an associate. He said the bus driver would take 1% of the proceeds, and he claimed to not know who ultimately received the money.

After their arrest and a search of their vehicle and apartment, agents also discovered other hand written notes with Western Union wire transfer numbers, names, amounts, and countries of origin. Similar messages were found on a cell phone in DROZDOVS’ possession.

They each face possible penalties of 3 years in prison, a $250,000 fine and 1 year supervised release.

The investigation was conducted by the U.S. Secret Service.

»Comments