The US Commodity Futures Trading Commission (CFTC) has slammed the financial services firm Philip Capital Inc. (PCI) with a $1.5m fine for letting hackers compromise the company’s systems and for failing to disclose the hack to customers.
The phishing attack occurred in February 2018. It saw one employee be conned by an email from a hacked financial security firm account and entered login in response. As a result, the cyber criminals got access to PCI’s email systems and withdrew $1m from a customer’s account.
Despite irregularities appearing on the email system the next day, the engineer neglected to reset PCI’s main password or tell employees and managers about the breach for another day, Reuters reported.
The customer’s money was transferred to a Hong Kong bank on March 2 2018. The customer called PCI three days later to ask why $1m had been wired from the account. It was only then that the PCI learned about the breach.
The CFTC fine includes $1m in restitution to the customer defrauded by the attack and a $500,000 penalty. It found that PCI’s chief compliance officer was unfamiliar with both technology and cybersecurity. As a result, the executive was deemed unable to evaluate if PCI’s cybersecurity policies and training were adequate.
PCI has since notified customers of the hack and made efforts to beef up its digital defences.
Copyright © 2018 RegTech Analyst