[BreachExchange] Chicago brokerage to pay $1.5 million for cyber attack lapses: U.S. CFTC

[Destry Winant]

reuters.com/article/us-usa-cftc-cyber-idUSKCN1VY25X

(Reuters) - The U.S. Commodities Futures Trading Commission (CFTC)
said on Friday that a Chicago-based futures brokerage will pay a total
of $1.5 million for letting cyber criminals breach the firm’s email
systems and withdraw $1 million from a customer’s account.

Phillip Capital Inc (PCI) neither admitted nor denied the CFTC’s
findings or conclusions, the CFTC said in a settlement with the firm.
A Phillip Capital representative did not return a call requesting
comment.

The case, which stems from a February 2018 phishing attack,
illustrates the vulnerability of financial services firms to cyber
attacks and how lapses in following procedures for responding to a
cyber attack can spur trouble with regulators.

PCI violated U.S. regulations by, among other things, failing to
disclose the breach to customers, the CFTC said.

The penalty includes $1 million in restitution to the customer
defrauded by the attack and a $500,000 penalty.

In the attack, PCI’s information technology engineer received an email
from a hacked financial security company account, then entered login
details in response, not knowing that cyber criminals would receive
the information.

The criminals accessed employee email accounts that contained detailed
customer information, the CFTC said.

Irregularities in the email system appeared the next day, but the
engineer, whom the CFTC did not identify, did not reset the firm’s
main password or tell employees or managers about the breach for
another day.

On March 2, 2018, cyber criminals used information found in the emails
to pose as a customer via another email and facilitate the transfer of
$1 million to a Hong Kong bank.

PCI, part of Singapore-based Phillip Capital Group, learned about the
transfer three days later, when the defrauded customer called to ask
why $1 million had been wired from its account.

Employees did not consult or follow the firm’s security procedures
after the attack, the CFTC said.

The agency found that PCI’s chief compliance officer was not familiar
with technology or cyber security and could not adequately evaluate
whether the firm’s cyber security policies and training were adequate,
the CFTC said.

PCI has since notified customers about the breach and taken steps to
improve its cyber security, the CFTC said.