CFTC fines Phillip Capital over violations related to cybersecurity incident
Back in March 2018, the co-CEOs of Phillip Capital decided not to inform their customers of the cybersecurity breach.
The US Commodity Futures Trading Commission (CFTC) on Thursday issued an order settling charges against online trading company Phillip Capital Inc. (PCI). PCI is a registered futures commission merchant, and is a part of Singapore-based Phillip Capital Group.
PCI is sanctioned for allowing cyber criminals to breach its email systems, access customer information, and successfully withdraw $1 million in PCI customer funds. PCI has also failed to disclose the cyber breach to its customers in a timely manner. Finally, PCI failed to supervise its employees with regard to cybersecurity policy and procedures, a written information systems security program (ISSP), and customer disbursements.
The incident occurred on February 28, 2018, when PCI’s IT Engineer received a phishing email from a hacked financial security organization account. The IT Engineer clicked on a PDF attachment to the email and entered login information for the PCI administrator’s email account in order to access the document. Thus, the employee unwittingly provided those credentials to cyber criminals, which they used to access the IT Engineer’s email account. The IT Engineer’s email account had administrator privileges, and the cyber criminals were able to use those privileges to access email accounts for PCI’ s co-CEO and various PCI finance employees as well.
The compromised email accounts contained customer information. The next day, the IT Engineer noticed that the email account had been added as a delegate to various PCI email accounts and removed the delegation. But the IT Engineer neither reset the email account’s password nor notified management.
On March 2, the IT Engineer saw that the delegation removed the day before had been restored; the IT Engineer then recognized that the email account had been compromised. At that point two days after the initial breach-the IT Engineer reset the email account’s password, informed management of the breach, and at their instruction, sent an email informing all PCI employees of the email breach and directing them to change their email passwords.
Upon discovery of the breach, none of the involved PCI employees-including the IT Engineer, the two co-CEOs, and the CCO-consulted the ISSP to determine responsive steps.
On March 2, the same day that PCI management and employees learned of the email breach, the cyber criminals used customer information gleaned from the compromised emails to fraudulently extract funds. The cyber criminals sent an email to PCI, posing as a PCI customer and requesting that $1 million be wired from that customer’s omnibus account at PCI. The wire instructions identified a recipient bank account in Hong Kong, in the name of third party not otherwise known to PCI.
Before approving the wire request, the Customer Service Specialist who received the initial email consulted a supervisor, and then the CCO, to inquire as to whether the wire was permissible. The CCO simply told the Customer Service Specialist to check whether the customer was sending funds to an account for one of its clients. The responding Customer Service Specialist replied to the fraudulent email directly to ask if the recipient in Hong Kong was a client of the PCI customer; the cyber criminals replied by email, affirming the recipient was a client and urging the Customer Service Specialist to complete the transaction. The Customer Service Specialist then approved the request, as did the finance department and other backstops within the PCI disbursement chain, and PCI wired the money out that afternoon.
PCI did not discover that the wire request was a fraud until Monday, March 5, when the defrauded customer called to ask why $1 million had been wired from its account.
Upon this discovery, PCI instituted measures to preclude additional fraudulent transfers, notified regulators that day, and within hours reimbursed its customer for the $1 million that had been improperly disbursed.
The co-CEOs ultimately determined not to inform their customers of the cybersecurity breach or the fraudulent wire transfer, and instead sent a non-specific warning to PCI customers about phishing schemes in general. From the outset, management made concerted efforts to keep the fact of the breach from its customers and the public, with one co-CEO directing staff in a company-wide email that “this is all confidential and no mention should be made outside the company – this is very important and could affect the company,” and separately asking the CCO to ask any customers who may have learned of the breach not to discuss it with others, as “it will only hurt our company for others to know and it to be talked about.”
Following the Commission’s investigation into this series of events, PCI took corrective actions to strengthen its cybersecurity defenses and improve its procedures. In addition, on February 21, 2019, PCI notified all customers for whom PCI held personally identifiable information as of March 2, 2018, about the past email breach and offered a twenty-four month membership in an identity theft monitoring service.
The CFTC order imposes monetary sanctions totaling $1.5 million, which includes a civil monetary penalty of $500,000, and $1 million in restitution. PCI is credited the $1 million restitution based on its prompt reimbursement of the customer funds when the fraud was discovered. The order also requires PCI to, among other things, provide reports to the Commission on its remediation efforts.