LPL to pay $275K fine for hacking incidents

LPL Financial has agreed to pay a $275,000 penalty for violating customers' privacy, the Securities and Exchange Commission said Thursday. In July 2007, at least 10,000 customers were left vulnerable to identity theft following a series of hacking incidents into Boston-based LPL's online trading platform as a result of the brokerage firm's failure to adopt policies and procedures to safeguard customers' personal information, the SEC said in a statement (InvestmentNews, July 8 ). LPL, which has more than 1 million customer accounts, agreed to pay the fine without admitting or denying the findings. In mid-2006, LPL conducted an internal audit that identified inadequate security controls at its branch offices and specifically identified a risk from hacking, according to the SEC. But LPL failed to take timely corrective action, the SEC said. LPL didn't implement increased security measures before the hacking incidents began in July 2007. It experienced "multiple" hacking incidents between then and early 2008, and unauthorized people gained access to the online trading platform for its registered representatives, the SEC said. Perpetrators placed or tried to place 209 unauthorized securities trades worth more than $700,000 in 68 customer accounts, the SEC said. About 8,100 LPL independent-contractor representatives operate from 3,600 branch offices. LPL "disregarded" its responsibility to protect customers' private information, "even in the face of known security deficiencies, and information of at least 10,000 customers may have been exposed as a result," Rosalind Tyson, SEC Los Angeles' regional office director, said in the statement. This year, the SEC proposed new regulations on how customer information is to be safeguarded. "Last year, a very small number of our advisers and their clients were affected by Internet ID breaches. These incidents were not related to any companywide breach of the LPL Financial firewalls but rather resulted from the theft of legitimate user names and passwords," Eric Miller, a spokesman for LPL, wrote in an e-mail. "Fortunately, we identified the intrusion early on and not a single client lost money," he wrote. "We are putting in place new technology initiatives and industry best-practice standards designed to ensure — to the extent we reasonably can — that this will never happen again." LPL isn't the only firm that has experienced security breaches. Last year, financial advisers who used Jersey City, N.J.-based TD Ameritrade Institutional's platform received apology letters after a hacker stole vital information (InvestmentNews, Sept. 14, 2007). In 2006, Ameriprise Financial Inc. of Minneapolis mailed letters to 158,000 clients whose names and internal Ameriprise account numbers were stored in a company laptop computer that had been stolen from an employee's car (InvestmentNews, Jan. 26, 2006). E-mail Sara Hansard at shansard@investmentnews.com.