The US Securities and Exchange Commission (SEC) has sanctioned multiple financial services firms for cybersecurity failures that led to the compromise of corporate email accounts and the personal data of thousands of individuals.
The case was brought after the unauthorized takeover of cloud-based email accounts at Seattle-based KMS Financial Services, and subsidiaries of California-headquartered Cetera Financial Group and Iowa-based Cambridge Investment Group.
The Cetera entities in question are Cetera Advisor Networks, Cetera Investment Services, Cetera Financial Specialists, Cetera Advisors, and Cetera Investment Advisers.
The Cambridge entities involved in the business email compromise (BEC) investigation included Cambridge Investment Research and Cambridge Investment Research Advisors.
Financial penalties
Without admitting or denying the charges, all eight investment advisory or broker dealer firms “agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty”, the SEC said in a press release issued on Monday (August 30).
The Cetera entities will pay $300,000, Cambridge will pay $250,000, and KMS Financial Services will pay $200,000.
The email account takeovers exposed personally identifying information related to at least 4,388 Cetera customers and clients via more than 60 compromised employee accounts between November 2017 and June 2020.
The data of more than 2,100 Cambridge customers and clients may have been compromised via more than 121 compromised email accounts between January 2018 and July 2021, and for KMS this was around 4,900 customers via 15 compromised email accounts between September 2018 and December 2019.
Security shortcomings
The SEC said Cetera Advisors and Cetera Investment Advisers sent breach notifications to clients that misleadingly suggested the notifications had been issued “much sooner” than was the case.
It also found that Cambridge Investment Group failed to bolster the security of cloud-based email accounts after discovering the first email account takeover in January 2018.
And the SEC censured KMS for failing “to adopt written policies and procedures requiring additional firm-wide security measures until May 2020”, or fully implementing them until August 2020.
“Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information,” said Kristina Littman, chief of the SEC enforcement division’s cyber unit.
“It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
Brute-force boom
The SEC sanctions coincided with related news of a spike in brute-force attacks, whereby various credential permutations are automatically and rapidly fed into targeted account login pages.
According to Abnormal Security’s Q3 2021 Email Threat Report, incidences of such attacks jumped 671% week-on-week in the week beginning June 6, 2021, with 32.5% of organizations in a range of sectors subject to brute-forcing attempts.
Researchers also saw a significant increase in phishing attacks designed to steal credentials, which accounted for 73% of all ‘advanced’ threats over the quarter.
The report additionally found that 137 of 100,000 mailboxes belonging to company executives were taken over in the second quarter of 2021.
With these socially engineered attacks readily evading “secure email gateways and other traditional email infrastructure”, Abnormal Security CEO Evan Reiser urged organizations “to comprehensively understand employee and vendor identities, their relationships, all with deep context, including content and tone to baseline good behavior”.
