01:17 PM

Exclusive: Anatomy Of A Brokerage IT Meltdown

Regulators last year issued the SEC's first-ever privacy fine against broker-dealer GunnAllen for failing to protect customer data. But former IT staffers say regulators didn’t seem to know half of this cautionary tale of outsourcing and oversight gone wrong.

In the bigger picture, it's unclear where the SEC was during all of this activity. "How is it that GunnAllen was an examined entity and they had no security policy?" said independent privacy expert Andrew M. Smith, an attorney at Morrison & Foerster. "Say you're 25 years old, recently graduated college, you're an SEC inspector, what's the first thing you're going to do? You're going to ask for their policies and procedures, and when you see that it takes up less than a quarter of a page, there's going to be something wrong."

Of course, that perspective assumes that the SEC or FINRA had in fact audited GunnAllen's compliance. "Is it possible that they never examined this broker-dealer? If so, that's fair enough," Smith says. In fact, it's not clear if FINRA or the SEC ever audited GunnAllen's policies before they began their relevant enforcement actions, or whether the additional security violation revelations detailed by Sago in mid-2011 might lead the agencies to reopen their investigation.

Officials at both FINRA and the SEC declined to comment on any examinations or audits their agencies may have conducted of GunnAllen. But FINRA's publicly accessible records for GunnAllen make no mention of the agency having audited or examined the company before evidence of the Ponzi scheme emerged.

What could have been done to help the SEC spot brokerages with poor IT policies? In 2008, the agency proposed amendments to Regulation S-P, also known as the Safeguard Rule, to increase customer data protection requirements for the businesses it regulates. According to Chris Wolf, an attorney who directs law firm Hogan Lovells' privacy and information management practice, these include requiring "a written security program, identification of specific employees to run it, identification of documentation for reasonably foreseeable security risks, as well as implementation of safeguards for managing those risks, as well as training, oversight, and so on, including for providers." Wolf added, "It would also have a data breach notification obligation, which currently does not exist."

But those proposed amendments have remained stalled since they were first proposed in March 2008. An SEC spokeswoman declined to comment on the status of the proposed Reg S-P amendments, or whether the agency is still backing them.

Life After GunnAllen

Knowing what they now know, would the Revere Group IT employees who worked at GunnAllen have done anything differently? "Things probably should have been told directly to GunnAllen, but we were in such fear of keeping our jobs," Lynott said. "Looking back and thinking back now, I probably would have gone back and told the GunnAllen people. But they may already have known."

Ultimately, Lynott said, he quit The Revere Group. "I got to the point where I morally couldn't go to work anymore," he said. One week after he left, he heard that the network engineer who'd allegedly sabotaged the IT systems was fired.

Saccavino, meanwhile, said he suspects GunnAllen had no idea what was happening in the IT department. "They weren't told the whole truth, and I don't think they were told even part of the truth," he said. "Shame on them for not having a check and balance in place, but you can't blame them for being the victim."

Smith, the privacy expert, offered four takeaways for any company that outsources its IT department: "One, you need to do your due diligence up front so you know that your service provider can keep this safe. Two, you need to have contractual obligations that allow you to keep this data safe, and audit that. Three, monitor so you know it's safe. And four, if there's unauthorized access, have your service provider notify you promptly."

Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)

3 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/4/2013 | 2:27:29 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
You're misrepresenting the story, queuester. The story doesn't "tie the demise of GunnAllen to the actions of Revere." In the very first paragraph, the story states that GunnAllen's "IT problems were only a symptom of widespread mismanagement and deeper misconduct at the firm." The facts laid out in the story support that thesis.
User Rank: Apprentice
11/17/2012 | 11:55:43 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
This article at best was a one sided and inaccurate accounting of the IT staff that worked for the company after Revere was shown the door.Trying to tie the demise of GunnAllen to the actions of Revere is the same as trying to tie mother's milk to heroin addiction. There is no doubt that Revere was a drag on GunnAllen and did nothing in the interest of their client. That changed when GAF appointed their own CTO who subsequently rid the company of this incompetent and self serving consultancy. To place so much weight on the quotes of Revere help desk manager whose greatest contribution was writing poems about eating donuts doesn't really seem to be great investigative journalism. I was there as an employee of GAF during the time and worked for the CTO who was a very competent technologist as were many of the people who were kept on. I was also there as we were forced to decommission all of the systems at the behest of FINRA who also displayed an amazing amount of indifference and incompetency during the process. GAF is shut down for a cash reserve deficiency of $100k while the SEC and FINRA allowed MF Global and John Corzine to "misplace" $1.2 billion of investor money. They (the SEC and FINRA) were only successful at dragging the name of one of the only ethical members of the executive management team throught the mud. Maybe a little more research might help next time as the only parties that really were hurt were the customers and that was done by FINRA not the company.
User Rank: Apprentice
10/9/2012 | 8:01:34 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
Reads like a company I had experience with and yes, it was a calculated plan on the part of the IT "engineer". Maybe more akin to the doctor/nurse who causes a patient's ills to be seen as the hero for relieving them or a fireman who starts fires to put them out. In the case I was familiar with, the engineer calculated that management would look favorably on him for saving them and unfavorably on anyone who would attack him as being jealous of his expertise rather than invest to independently investigate and perhaps uncover his intentional staging of the cases. He was right. The company fired two of his superiors for harassing the engineer who had "saved" the company.
Recognizing that RevereGroup and GunnAllen are not islands in this respect, there are still more than a few questions surrounding the validity of Sago's accusations (he did work there for what looks to be an extended period before being let go at the height of the 2008 financial crisis). A little vendictiveness? Some of these IT informants seem to share a little responsibility themselves if nothing else for complacency (why didn't DiMarzio take care of RG personnel problems internally without relating full details to GunnAllen?).
User Rank: Apprentice
10/9/2012 | 5:34:48 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
The words that come to mind are Malicious, incompetent and hubris. I can understand not liking your job. I can understand having a bad day. But by the great FSM! I have never read about a company that seems so eager to destroy itself. Not even when MCI was around, did I ever see such cavalier disregard for both customer data.
User Rank: Apprentice
10/9/2012 | 1:11:02 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
I have always felt embarrassed when I come in on monday and something needs fixing, let alone a trivial 5 minute fix. That guy was a dishonorable idiot.

Interesting article. Read like a horror story.
User Rank: Apprentice
10/9/2012 | 3:23:22 AM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
I worked at GunnAllen in the IT dept for 13 months - 2004/2005 - and one of the "urban legends" from prior to 2004 was that a senior IT programmer was fired for running a porn site on unused space on the web servers. I don't know the truth about this, but it was interesting to hear. I was "downsized" after making the GunnAllen CIO and staff unhappy during the planning of the national convention - no big loss for me, in hindsight!
User Rank: Apprentice
10/8/2012 | 8:50:42 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
It almost reminds me of the type of behavior seen in arsonists. It's as if the guy enjoys "starting fires", in the IT sense. Also seems like passive-aggressive behavior... but more aggressive than passive. Like he "forgot" to change the settings back.

Really strange. Was it incompetence or sabotage?
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.