Brokerage Firm Hit With $500,000 Data Breach PenaltyCommission Finds That Phillip Capital Made Series of Missteps
The U.S. Commodity Futures Trading Commission has hit Philips Capital Inc., a Chicago-based brokerage firm, with a $500,000 civil monetary penalty for security missteps before and after a 2018 data breach, which resulted in the theft of $1 million from client accounts.
In the commission’s order order, which was announced Friday, Philips Capital also acknowledges it has paid restitution of $1 million to customers whose money was stolen.
The commission, an independent federal agency that regulates futures and options markets, found that Philip Capital did not follow U.S. regulatory requirements for informing customers of the breach in a timely way. It also found that the brokerage allowed cybercriminals to breach its systems, access customer information and steal money from clients. And it faulted the company for not making sure its employees followed written cybersecurity guidelines.
A representative of Philip Capital, which is part of the Singapore-based Phillip Capital Group, did not respond to a request for comment.
The breach that led to financial penalty started in February 2018 when an IT engineer at Phillip Capital received a phishing mail from a previously hacked account on Feb. 28, 2018, according to the commission.
"The IT engineer clicked on a PDF attachment to the email and entered login information for the administrator's email account, unwittingly providing those credentials to cybercriminals," the commission found.
The attackers then used those administrative credentials to access email accounts for the company’s CEO and others. These compromised email accounts contained detailed customer information, according to the commission’s order.
On March 2, two days after the initial breach, the engineer recognized that several of the firm's email accounts had been compromised, according to the order. The engineer then reset the passwords on those affected accounts, informed management of the breach, and, at their instruction, sent an email informing all the employees of the email breach and directing them to change their email passwords, according to the order.
The day Philip Capital discovered the breach, the firm also received a request for a fraudulent transaction. The attacker sent an email to the company pretending to be a customer and requested that $1 million be wired from different client accounts to a recipient in Hong Kong, according to the documents.
“The responding customer service specialist replied to the fraudulent email directly to ask if the recipient in Hong Kong was a client of the [Philip Capital] customer; the cybercriminals replied by email, affirming the recipient was a client and urging the customer service specialist to complete the transaction," according to the commission.
The customer service specialist, along with the finance department, approved the transfer and the money was wired out of the accounts that afternoon. It was only when a customer called to enquire about the reason for the money transfer did the company realize that the transaction was fraudulent, the commission determined.
At nearly every step of the process, it appears that Philip Capital did not have, or failed to follow, good security practices that would have raised red flags, says Joseph Carson, chief security scientist at security firm Thycotic.
Customers in the Dark
Philip Capital didn't follow its written standard security procedures when it came to informing customers about the incident, the commission determined. Instead, the firm sent out an email to all employees stating "this is all confidential and no mention should be made outside the company - this is very important and could affect the company," according to the commission’s order.
Despite knowing about the breach, Philip Capital's CEO initially decided not to inform all of its customers about the attack or the fraudulent wire transfer, the commission determined. Instead, the company sent a general warning to customers about phishing schemes.
In addition, the investigation found that the firm's chief compliance officer was instructed to ask any customers who may have learned of the breach not to discuss it with others because "it will only hurt our company for others to know," the commission found.
Within two weeks of the incident, Philip Capital notified only two customers whose accounts were targeted by the attackers for theft, the commission found. The firm, however, didn't notify customers whose information may had been compromised until February of this year, according to commission’s order.
Since the commission's investigation, Philip Capital has begun putting in stronger safeguards to protect customer data and is now offering clients identity-theft monitoring services, according to the commission.
“This is a reminder for all companies who must comply with government regulations that, if breached, not only will the cybercriminals be after your money, but it is also likely that regulators will fine you as well for not protecting your customers' valuable assets,” Carson says.