LPL fined $275,000 for hacking incidents

LPL Financial of Boston has agreed to pay a $275,000 penalty for violating customers’ privacy, the Securities and Exchange Commission announced today.
In July 2007, at least 10,000 customers were left vulnerable to identity theft following a series of hacking incidents into LPL’s online trading platform as a result of the brokerage firm’s failure to adopt policies and procedures to safeguard customers’ personal information, the SEC said in a release InvestmentNews, July 8 .

The firm, which has more than a million customer accounts, agreed to pay the fine without admitting or denying the findings.
In mid-2006, LPL had conducted an internal audit that identified inadequate security controls at its branch offices and specifically identified a risk from hacking, according to the SEC.
But LPL failed to take timely corrective action, the agency said.
The firm did not implement increased securities measures before the hacking incidents began in July 2007. It experienced “multiple” hacking incidents between July 2007 and early 2008, and unauthorized people gained access to the online trading platform for its registered representatives, the SEC said.
Perpetrators placed or tried to place 209 unauthorized securities trades worth more than $700,000 in 68 customer accounts, the agency said.
About 8,100 LPL independent contractor representatives operate from 3,600 branch offices.
LPL “disregarded” their responsibility for protecting customers’ private information, “even in the face of known security deficiencies, and information of at least 10,000 customers may have been exposed as a result,” SEC Los Angeles regional office director Rosalind Tyson said in the release.
Earlier this year, the SEC proposed new regulations on how customer information is to be safeguarded.
“Last year a very small number of our advisers and their clients were affected by Internet ID breaches,” Eric Miller, a spokesman for LPL, wrote in an e-mail.
“These incidents were not related to any company-wide breach of the LPL Financial firewalls but rather resulted from the theft of legitimate usernames and passwords.
“Fortunately, we identified the intrusion early on and not a single client lost money. We are putting in place new technology initiatives and industry best practice standards designed to ensure – to the extent we reasonably can – that this will never happen again.”
LPL is not the only firm that has experienced security breaches.
Last year, advisers who used Jersey City, N.J.-based TD Ameritrade Institutional’s platform received apology letters after a hacker stole vital information(InvestmentNews, Sept. 14, 2007).
In 2006, Ameriprise Financial Inc. of Minneapolis mailed letters to 158,000 clients whose names and internal Ameriprise account numbers were stored in a company laptop computer that had been stolen from an employee’s car (InvestmentNews, Jan. 26, 2006).

Related Topics: Fines/Censures