Phillip Capital Inc. (PCI) was fined $ 1.5 million by the United States Commodity Futures Trading Commission (CFTC) for “authorizing” a data breach and failing to alert its customers within a reasonable time.
CFTC said last week that the Chicago, Illinois-based company will pay a fine of $ 500,000 and $ 1 million in restitution to settle charges that the company failed to protect its systems from cybersecurity threats.
PCI is a privately held Futures Commission Merchant (FCM) that provides a range of financial services to clients around the world. FCM complaints equity of over $ 1 billion; and asset management of over $ 30 billion.
In February 2018, an engineer employed by PCI received an email from a compromised financial security corporate account. Unaware that a security incident had occurred, the engineer handed over a set of login information which was then used to access staff email accounts containing customer data.
See also: Pen test takes pear shape: cybersecurity firm staff arrested for courthouse burglary
As reported by Reuters, strange behavior was noted in PCI’s messaging system, but the staff member waited a day before notifying those responsible for a potential data breach.
A month later, the responsible threat actors used the information they obtained to impersonate a client and were able to facilitate the fraudulent transfer of $ 1 million to a bank account in Hong Kong.
The affected customer learned of the transfer three days later.
The CFTC said the financial services company not only failed to notify customers of the security breach in a timely manner, but also employees were not properly trained or briefed on cybersecurity policies and procedures.
PCI did reimburse the victim, however, and has since taken steps to improve their cybersecurity posture. The company is now required to provide reports to the US agency on its progress.
“Cybercrime is a real and growing threat in our markets,” said James McDonald, CFTC’s director of enforcement. “While it may not be possible to eliminate all cyber threats, CFTC registrants must have adequate procedures in place – and follow those procedures – to protect their customers and accounts from potential harm. ”
Businesses, especially when acting as custodians of sensitive customer data, whether financial or medical, need to take cyber threats seriously. PCI may have walked away with a relatively light penalty for allowing this to happen, given that the consequences could have been much more damaging if more than one customer had been targeted.
If FCM had been based in Europe, for example, the fines imposed by the authorities could have been higher. Under the EU’s General Data Protection Regulation (GDPR), penalties of up to € 20 million or 4% of annual worldwide turnover can be imposed for breaches of adequate protection Datas.
PCI has not responded to requests for comment at the time of writing.
Prior and related coverage
Do you have any advice? Contact us securely via WhatsApp | Call +447 713 025 499, or Keybase: charlie0