Summary: Equiniti Trust Company has been penalized $850,000 by the SEC for failing to secure customer assets, leading to the theft of over $6.6 million in two cyberattacks. These incidents involved hackers impersonating clients to manipulate financial transactions and stealing sensitive information.
Threat Actor: Cybercriminals | cybercriminals
Victim: Equiniti Trust Company | Equiniti Trust Company
Key Point :
- Equiniti Trust lost approximately $6.6 million due to two separate cyberattacks in 2022 and 2023.
- Hackers utilized business email compromise tactics to manipulate financial transactions and steal sensitive information from clients.
- The SEC found Equiniti violated regulations by failing to implement adequate cybersecurity measures to protect client assets.
- The company managed to recover some of the stolen funds, reimbursing affected customers while acknowledging its security shortcomings.
- Business email compromise has become a significant threat, with the FBI reporting $2.9 billion in losses due to such fraud in 2023.
A financial services firm has agreed to pay a $850,000 penalty over charges from the Securities and Exchange Commission over the mishandling of two cybersecurity incidents.
The SEC said in a statement that it had charged Equiniti Trust Company with failing to secure customer assets after more than $6.6 million was stolen in two separate cyberattacks in 2022 and 2023.
Hackers were able to hijack an email chain between the company and a U.S.-based client. The threat actor pretended to work for the client and asked Equiniti Trust to “issue millions of new shares of the issuer, liquidate those shares, and send the proceeds to an overseas bank.”
An Equiniti Trust employee transferred about $4.78 million to bank accounts located in Hong Kong. Equiniti was able to recover about $1 million, according to the SEC.
Another incident occurred in April 2023 when a hacker allegedly stole the Social Security numbers of some Equiniti Trust account holders. The hacker created fake accounts using the Social Security numbers and Equiniti’s system automatically tied the fake accounts to legitimate ones belonging to clients.
Even though only the Social Security numbers — not names and other personal information — matched the legitimate accounts, the fake accounts were still automatically linked, allowing the hackers to liquidate stocks and transfer about $1.9 million to other bank accounts.
The company was eventually able to recover $1.6 million of the stolen funds. Equiniti — which previously went by the name American Stock Transfer — reimbursed all of the affected customers but the SEC found it had violated several regulations around measures financial firms have to take to protect user funds.
“American Stock Transfer failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets,” said Monique Winkler, director of the SEC’s San Francisco Regional Office.
“As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets.”
Business email compromise — where hackers use fake identities or bogus invoices to convince employees to hand over millions in company funds — has been a growing scourge over the last few years.
Last week, a Luxembourg-based manufacturer told the SEC that about $60 million was stolen after an employee was tricked into making several wire transfers to cybercriminals.
In 2023, the FBI said BEC fraud was the second most damaging type of internet crime in the U.S., accounting for $2.9 billion in losses.
Recorded Future
Intelligence Cloud.
Source: https://therecord.media/financial-firm-fined-for-sec-violation