Welcome Guest. | Log In| Register | Membership Benefits
  • Email this page E-mail this page
  • |  Print Print this page
  • |   Bookmark and Share

Davidson Cos. Sued for Negligence in Data Breach

Lawsuit confirms that companies can be held liable for failing to provide adequate security

Apr 02, 2008 | 01:30 AM

By Tim Wilson
DarkReading

Security pros, take heed: If you don't do your job, you may not only be fired -- you may end up in court.

A Billings, Mont., law firm has filed a class-action lawsuit in federal court against Davidson Companies, claiming the company was negligent when it allowed a hacker to penetrate its systems, resulting in a data security breach and the exposure of some 226,000 customer records, according to a report.

The breach, which was revealed in January, occurred when a hacker broke into a Davidson Companies database and obtained the names and Social Security numbers of virtually all of the Montana-based financial services company's clients. Details on how the hacker accessed the database weren't published.

In the past, companies have been held liable for more overt data losses, such as the loss of a laptop or backup tape. Recently, however, companies have been sued for things their IT departments didn't do, alleging that the IT security department's negligence led to a hack. (See FTC Deal Suggests Enterprises Could Be Liable for Poor Security.)

This latest class-action lawsuit alleges "the Davidson Companies failed to comply with the industry standards designed to protect such confidential personal and financial information from theft" and that the company did not provide "adequate safeguards in its storage and handling of its clients’ confidential personal and financial information."

The lawsuit, which doesn't specify a monetary demand, was filed even though the plaintiffs aren't aware of any identity theft resulting from the breach. Attorneys for Davidson Companies said they haven't seen the paperwork and declined comment.

— Tim Wilson, Site Editor, Dark Reading


Subscribe to RSS










Bugs
ENTERPRISE VULNERABILITIES
Vulnerability:suse linux
Published:2010-01-22
Severity:High
Description:SUSE Linux Enterprise 10 SP3 (SLE10-SP3) configures postfix to listen on all network interfaces, which might allow remote attackers to bypass intended access restrictions.
Vulnerability:ie
Published:2010-01-22
Severity:High
Description:The URL validation functionality in Microsoft Internet Explorer 7 and 8 does not properly process input parameters, which allows remote attackers to execute arbitrary local programs via a crafted URL, aka "URL Validation Vulnerability."
Vulnerability:bind
Published:2010-01-22
Severity:Medium
Description:ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta does not properly validate DNSSEC (1) NSEC and (2) NSEC3 records, which allows remote attackers to add the Authenticated Data (AD) flag to a forged NXDOMAIN response for an existing domain.
Vulnerability:ie
Published:2010-01-22
Severity:High
Description:Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2009-2530 and CVE-2009-2531.
Vulnerability:ie
Published:2010-01-22
Severity:High
Description:Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2009-3671, CVE-2009-3674, and CVE-2010-0246.


Briefing Centers
POWERFUL INFORMATION
AT YOUR FINGERTIPS
(SPONSORED LINKS)