CFTC fines Phillip Capital over violations related to cybersecurity incident

Maria Nikolova

Back in March 2018, the co-CEOs of Phillip Capital decided not to inform their customers of the cybersecurity breach.

The US Commodity Futures Trading Commission (CFTC) on Thursday issued an order settling charges against online trading company Phillip Capital Inc. (PCI). PCI is a registered futures commission merchant, and is a part of Singapore-based Phillip Capital Group.

PCI is sanctioned for allowing cyber criminals to breach its email systems, access customer information, and successfully withdraw $1 million in PCI customer funds. PCI has also failed to disclose the cyber breach to its customers in a timely manner. Finally, PCI failed to supervise its employees with regard to cybersecurity policy and procedures, a written information systems security program (ISSP), and customer disbursements.

The incident occurred on February 28, 2018, when PCI’s IT Engineer received a phishing email from a hacked financial security organization account. The IT Engineer clicked on a PDF attachment to the email and entered login information for the PCI administrator’s email account in order to access the document. Thus, the employee unwittingly provided those credentials to cyber criminals, which they used to access the IT Engineer’s email account. The IT Engineer’s email account had administrator privileges, and the cyber criminals were able to use those privileges to access email accounts for PCI’ s co-CEO and various PCI finance employees as well.

The compromised email accounts contained customer information. The next day, the IT Engineer noticed that the email account had been added as a delegate to various PCI email accounts and removed the delegation. But the IT Engineer neither reset the email account’s password nor notified management.

On March 2, the IT Engineer saw that the delegation removed the day before had been restored; the IT Engineer then recognized that the email account had been compromised. At that point two days after the initial breach-the IT Engineer reset the email account’s password, informed management of the breach, and at their instruction, sent an email informing all PCI employees of the email breach and directing them to change their email passwords.

Upon discovery of the breach, none of the involved PCI employees-including the IT Engineer, the two co-CEOs, and the CCO-consulted the ISSP to determine responsive steps.

On March 2, the same day that PCI management and employees learned of the email breach, the cyber criminals used customer information gleaned from the compromised emails to fraudulently extract funds. The cyber criminals sent an email to PCI, posing as a PCI customer and requesting that $1 million be wired from that customer’s omnibus account at PCI. The wire instructions identified a recipient bank account in Hong Kong, in the name of third party not otherwise known to PCI.

Before approving the wire request, the Customer Service Specialist who received the initial email consulted a supervisor, and then the CCO, to inquire as to whether the wire was permissible. The CCO simply told the Customer Service Specialist to check whether the customer was sending funds to an account for one of its clients. The responding Customer Service Specialist replied to the fraudulent email directly to ask if the recipient in Hong Kong was a client of the PCI customer; the cyber criminals replied by email, affirming the recipient was a client and urging the Customer Service Specialist to complete the transaction. The Customer Service Specialist then approved the request, as did the finance department and other backstops within the PCI disbursement chain, and PCI wired the money out that afternoon.

PCI did not discover that the wire request was a fraud until Monday, March 5, when the defrauded customer called to ask why $1 million had been wired from its account.

Upon this discovery, PCI instituted measures to preclude additional fraudulent transfers, notified regulators that day, and within hours reimbursed its customer for the $1 million that had been improperly disbursed.

The co-CEOs ultimately determined not to inform their customers of the cybersecurity breach or the fraudulent wire transfer, and instead sent a non-specific warning to PCI customers about phishing schemes in general. From the outset, management made concerted efforts to keep the fact of the breach from its customers and the public, with one co-CEO directing staff in a company-wide email that “this is all confidential and no mention should be made outside the company – this is very important and could affect the company,” and separately asking the CCO to ask any customers who may have learned of the breach not to discuss it with others, as “it will only hurt our company for others to know and it to be talked about.”

Following the Commission’s investigation into this series of events, PCI took corrective actions to strengthen its cybersecurity defenses and improve its procedures. In addition, on February 21, 2019, PCI notified all customers for whom PCI held personally identifiable information as of March 2, 2018, about the past email breach and offered a twenty-four month membership in an identity theft monitoring service.

The CFTC order imposes monetary sanctions totaling $1.5 million, which includes a civil monetary penalty of $500,000, and $1 million in restitution. PCI is credited the $1 million restitution based on its prompt reimbursement of the customer funds when the fraud was discovered. The order also requires PCI to, among other things, provide reports to the Commission on its remediation efforts.

Read this next

Executive Moves

YourBourse hires 3 executives to transform development procedures

“Valter, Maria, and Sergey bring decades of experience in the FX industry to our company and I’m very excited how they will enable our ambitious growth plans.”

Technology

Baton adds OCC to collateral management network

“For the FCM community, this translates into ensuring money isn’t being left on the table. Our FCM clients are already using the Baton platform to move tens of billions of dollars of collateral every week.”

Retail FX

eToro buys US rival Gatsby to expand zero-fee trading offering

Israeli social trading and multi-asset brokerage company eToro has secured the regulatory nod to acquire no-fee trading app Gatsby as it aims to expand its business in the US.

Executive Moves

Genesis Global snatches CMO Jason Jhonson from metaverse company

The hire of Jhonson follows the announcement that Genesis raised $20 million in fresh funding from US banking giants, Bank of America, BNY Mellon and Citi.

Digital Assets

Celsius subsidiary GK8 integrates with Polygon while looking for new owner

“This integration affords our customers more agility in managing their crypto assets, which is key to creating new revenue streams.”

Digital Assets

BDO Italia audits Tether reserves to release monthly attestation

World’s largest stablecoin issuer, Tether has switched the accounting firm that audits the massive reserves that back its USDT token to BDO Italia, the 5th largest accounting firm in the world.

Retail FX

Libertex bags multi-year sponsorship deal with FC Bayern

Indication Investments Ltd, the operator of FX retail brand Libertex, has secured a lucrative sponsorship deal with German soccer giant FC Bayern.

Institutional FX

PrimeXM reports lower volumes for July as summer lull bites

PrimeXM has reported weaker trading volumes for July 2022, in line with other institutional and retail platforms that saw the activity of their clients dropped compared to a month earlier.

Retail FX

FCA warns of ATFX Global Trading / ATFXcoin

In its latest clampdown against the specific type of ‘clone fraud’, the Financial Conduct Authority (FCA) has warned local investors to watch out for a company called ATFX Global Trading / ATFXcoin.

<