US brokerage, Philips Capital Inc., has been fined $500,000 (£402,950) for inadequate cyber-security standards which are believed to have contributed to a data breach at the firm in 2018.
The breach led to $1m being stolen from client accounts. Further to the announcement of the fine issued by the US Commodity Futures Trading Commission (CFTC), the Chicago-based Philips Capital has acknowledged that it has fully compensated victims financially.
In an official release, the CFTC said:
“The U.S. Commodity Futures Trading Commission issued an order filing and simultaneously settling charges against Phillip Capital Inc. (PCI), a registered futures commission merchant, for allowing cyber criminals to breach PCI email systems, access customer information, and successfully withdraw $1 million in PCI customer funds.
“The order also finds that PCI failed to disclose the cyber breach to its customers in a timely manner. Finally, the order finds that PCI failed to supervise its employees with respect to cybersecurity policy and procedures, a written information systems security program, and customer disbursements.
“The order imposes monetary sanctions totalling $1.5 million, which includes a civil monetary penalty of $500,000, and $1 million in restitution. PCI is credited the $1 million restitution based on its prompt reimbursement of the customer funds when the fraud was discovered. The order also requires PCI to, among other things, provide reports to the Commission on its remediation efforts.”
CFTC Director of Enforcement, James McDonald, said:
“Cybercrime is a real and growing threat in our markets. While it may not be possible to eliminate all cyber threats, CFTC registrants must have adequate procedures in place — and follow those procedures — to protect their customers and their accounts from potential harm.”
The data breach originated in February 2018, when a cyber-specialist at Philip Capital was sent a phishing email from a previously hacked account, the Commission found.
“The IT engineer clicked on a PDF attachment to the email and entered login information for the administrator’s email account, unwittingly providing those credentials to cybercriminals,” the Commission said.
The hackers used the login credentials to get into further email accounts belonging to chiefs at the company. These compromised accounts were then used to steal customers’ details. The exposure was subsequently identified by engineers at the firm, who then reset passwords and informed management of the data breach. All employees were then contacted, and instructed to reset passwords on potentially affected accounts.
On the day that Philip Capital found the data breach, the company also received a request for a fraudulent money transaction. A cyber-criminal sent an email to the firm pretending to be a customer, and asked that $1m be sent from various client accounts to a bank account in Hong Kong, the documents claim.
The Commission said:
“The responding customer service specialist replied to the fraudulent email directly to ask if the recipient in Hong Kong was a client of the [Philip Capital] customer; the cybercriminals replied by email, affirming the recipient was a client and urging the customer service specialist to complete the transaction.
The post #privacy: Data breach fine of $500,000 for US brokerage firm appeared first on PrivSec Report.