01:17 PM

Exclusive: Anatomy Of A Brokerage IT Meltdown

Regulators last year issued the SEC's first-ever privacy fine against broker-dealer GunnAllen for failing to protect customer data. But former IT staffers say regulators didn’t seem to know half of this cautionary tale of outsourcing and oversight gone wrong.

Regulatory Sanctions

GunnAllen's IT failures paralleled larger business problems. Formerly known as Napex Financial Corp., GunnAllen was founded in 1996 by Donald Gunn and Richard "Allen" Frueh. GunnAllen provided a place for brokers and dealers, who must be associated with a FINRA member firm in order to trade, to hang their shingle. But by 2008, senior members of the firm had come under fire for not properly vetting those brokers or monitoring what they were doing in the name of GunnAllen.

Notably, 2008 was when FINRA fined GunnAllen $750,000 for a "trade allocation scheme" conducted by former head trader Alexis J. Rivera. "In 2002 and 2003, the firm, acting through Rivera, engaged in a 'cherry picking' scheme in which Rivera allocated profitable stock trades to his wife's personal account instead of to the accounts of firm customers," according to FINRA. "Rivera garnered improper profits of more than $270,000 through this misconduct, which violated the anti-fraud provisions of the federal securities laws and FINRA rules. Rivera was barred in December 2006."

FINRA accused GunnAllen's investment division of doing business with companies, then failing to inform the broker-dealer's own compliance department that those companies should be placed on a restricted or watch list for investments, as is required by the agency. FINRA also said the brokerage failed to safeguard non-public information in its investment division, meaning that other employees could have profited from insider information. Finally, FINRA accused GunnAllen of "failing to preserve emails and instant messages."

A lack of top-down oversight of Michigan-based GunnAllen broker Frank Bluestein ultimately led to the firm's demise. Bluestein resold investments on behalf of Ed May, who FINRA said "created and marketed unregistered investments" to an estimated 1,500 investors under the company he ran, E-M Management Co., LLC. In 2007, the SEC charged May with fraud, for allegedy running a Ponzi scheme focused on a fictitious Las Vegas casino and fake telecommunications equipment and leasing deals that took in more than $250 million before being discovered and stopped.

In 2009, the SEC also charged Bluestein with fraud. According to the SEC complaint, from 2002 to 2007 Bluestein ran seminars that "lured elderly investors into refinancing the mortgages on their homes," ultimately recruiting about 800 investors and securing $74 million in investments.

In April 2011, May plead guilty to 59 counts of mail fraud, received a 16-year prison sentence, and was ordered to pay a $250,000 fine. Bluestein, however, denied all knowledge of the Ponzi scheme, citing in his defense that he'd personally purchased the investments being sold by May.

Regardless, GunnAllen faced a volley of investor lawsuits after the SEC's 2009 allegations. By March 2010, FINRA found that GunnAllen no longer had sufficient net capital to trade and closed the firm, leading to the layoff of 400 employees. By November 2010, GunnAllen had been liquidated.

First-Ever Standalone SEC Privacy Fine

Although GunnAllen went bankrupt, regulators weren't done with it. The SEC in 2011 accused two former employees--president Frederick O. Kraus and national sales manager David C. Levine--of having inappropriately used GunnAllen customer data, and it fined them each $20,000. The SEC also slammed GunnAllen's former chief compliance officer, Mark A. Ellis, for having failed to put in place or enforce proper policies and procedures for protecting customer information. It fined Ellis $15,000. The agency noted that the broker-dealer's written policies were "vague" and turned out to be little more than a rewording of the actual SEC regulations.

As for the alleged security breaches related to InformationWeek by the former Revere Group employees, a 2010 SEC enforcement action against former GunnAllen executives detailed multiple security incidents, but not the full extent of the breaches alleged by the former employees, which included at least one missing laptop containing financial information. Likewise, the home router incident didn't even come to light until 2009, one year after FINRA fined GunnAllen.

New SEC Violations Emerge

In June 2011, Sago detailed the additional security violations in a six-page letter to the SEC's Miami office, which had conducted the GunnAllen investigation. The agency's associate director of enforcement in Miami, who was in charge of the investigation, didn't respond to multiple calls and emails seeking comment on Sago's allegations, whether the investigation was still open, or whether the additional revelations might lead to any new fines or sanctions against current or former employees of GunnAllen or The Revere Group. A spokeswoman for the SEC, reached by phone, declined to comment on any of those questions.

2 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/4/2013 | 2:27:29 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
You're misrepresenting the story, queuester. The story doesn't "tie the demise of GunnAllen to the actions of Revere." In the very first paragraph, the story states that GunnAllen's "IT problems were only a symptom of widespread mismanagement and deeper misconduct at the firm." The facts laid out in the story support that thesis.
User Rank: Apprentice
11/17/2012 | 11:55:43 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
This article at best was a one sided and inaccurate accounting of the IT staff that worked for the company after Revere was shown the door.Trying to tie the demise of GunnAllen to the actions of Revere is the same as trying to tie mother's milk to heroin addiction. There is no doubt that Revere was a drag on GunnAllen and did nothing in the interest of their client. That changed when GAF appointed their own CTO who subsequently rid the company of this incompetent and self serving consultancy. To place so much weight on the quotes of Revere help desk manager whose greatest contribution was writing poems about eating donuts doesn't really seem to be great investigative journalism. I was there as an employee of GAF during the time and worked for the CTO who was a very competent technologist as were many of the people who were kept on. I was also there as we were forced to decommission all of the systems at the behest of FINRA who also displayed an amazing amount of indifference and incompetency during the process. GAF is shut down for a cash reserve deficiency of $100k while the SEC and FINRA allowed MF Global and John Corzine to "misplace" $1.2 billion of investor money. They (the SEC and FINRA) were only successful at dragging the name of one of the only ethical members of the executive management team throught the mud. Maybe a little more research might help next time as the only parties that really were hurt were the customers and that was done by FINRA not the company.
User Rank: Apprentice
10/9/2012 | 8:01:34 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
Reads like a company I had experience with and yes, it was a calculated plan on the part of the IT "engineer". Maybe more akin to the doctor/nurse who causes a patient's ills to be seen as the hero for relieving them or a fireman who starts fires to put them out. In the case I was familiar with, the engineer calculated that management would look favorably on him for saving them and unfavorably on anyone who would attack him as being jealous of his expertise rather than invest to independently investigate and perhaps uncover his intentional staging of the cases. He was right. The company fired two of his superiors for harassing the engineer who had "saved" the company.
Recognizing that RevereGroup and GunnAllen are not islands in this respect, there are still more than a few questions surrounding the validity of Sago's accusations (he did work there for what looks to be an extended period before being let go at the height of the 2008 financial crisis). A little vendictiveness? Some of these IT informants seem to share a little responsibility themselves if nothing else for complacency (why didn't DiMarzio take care of RG personnel problems internally without relating full details to GunnAllen?).
User Rank: Apprentice
10/9/2012 | 5:34:48 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
The words that come to mind are Malicious, incompetent and hubris. I can understand not liking your job. I can understand having a bad day. But by the great FSM! I have never read about a company that seems so eager to destroy itself. Not even when MCI was around, did I ever see such cavalier disregard for both customer data.
User Rank: Apprentice
10/9/2012 | 1:11:02 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
I have always felt embarrassed when I come in on monday and something needs fixing, let alone a trivial 5 minute fix. That guy was a dishonorable idiot.

Interesting article. Read like a horror story.
User Rank: Apprentice
10/9/2012 | 3:23:22 AM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
I worked at GunnAllen in the IT dept for 13 months - 2004/2005 - and one of the "urban legends" from prior to 2004 was that a senior IT programmer was fired for running a porn site on unused space on the web servers. I don't know the truth about this, but it was interesting to hear. I was "downsized" after making the GunnAllen CIO and staff unhappy during the planning of the national convention - no big loss for me, in hindsight!
User Rank: Apprentice
10/8/2012 | 8:50:42 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
It almost reminds me of the type of behavior seen in arsonists. It's as if the guy enjoys "starting fires", in the IT sense. Also seems like passive-aggressive behavior... but more aggressive than passive. Like he "forgot" to change the settings back.

Really strange. Was it incompetence or sabotage?
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.