Washington, D.C. — The Financial Industry Regulatory Authority (FINRA) has announced today that it has fined Centaurus Financial, Inc. (CFI), of Orange County, CA, $175,000 for its failure to protect certain confidential customer information. Centaurus was also ordered to provide notifications to affected customers and their brokers and to offer these customers one year of credit monitoring at no cost.
FINRA found that from April 2006 to July 2007, CFI failed to ensure that it safeguarded confidential customer information. Its improperly configured computer firewall - along with an ineffective username and password on its computer facsimile server - permitted unauthorized persons to access stored images of faxes that included confidential customer information, such as social security numbers, account numbers, dates of birth and other sensitive, personal and confidential data. The firm's failures also permitted an unknown individual to conduct a "phishing" scam. When CFI became aware of the phishing scam, the firm conducted an inadequate investigation and sent a misleading notification letter to approximately 1,400 affected customers and their brokers.
"It is critically important that firms protect confidential customer information and respond appropriately to unauthorized access to their system," said Susan L. Merrill, FINRA Executive Vice President and Chief of Enforcement. "When a firm becomes aware of an unauthorized access, it must conduct an effective review and provide customers with accurate information about that unauthorized access."
On July 15, 2007, CFI's fax server was used by an unauthorized third party to host a phishing scam. Phishing scams are designed to trick computer users into divulging personal information such as usernames, passwords and bank and credit card information. A file simulating a popular Internet auction site was uploaded to CFI's fax server and over a three-day period there were 894 unauthorized logins by 459 unique IP addresses, most of them from recipients of a mass email sent by the perpetrators of the scam.
Following the discovery of the phishing scam, CFI sent a misleading letter to approximately 1,400 customers and their brokers, inaccurately stating that the unauthorized access was limited to one person and that information on the server was not openly available. The letter failed to state that other unauthorized logins had occurred and did not inform the customers that the unauthorized access was made possible by the inadequate firewall and weak username ("Administrator") and password ("password") on its computer fax server.
CFI's conduct violated federal Regulation S-P and FINRA rules.
Under the terms of the settlement, Centaurus has agreed to provide corrected notifications of the unauthorized accesses to all previously notified customers and brokers and to offer these customers one year of free credit monitoring. In addition, CFI will certify to FINRA that its procedures and systems are in compliance with privacy requirements.