(Reuters) - The U.S. Commodities Futures Trading Commission (CFTC) said on Friday that a Chicago-based futures brokerage will pay a total of $1.5 million for letting cyber criminals breach the firm’s email systems and withdraw $1 million from a customer’s account.
Phillip Capital Inc (PCI) neither admitted nor denied the CFTC’s findings or conclusions, the CFTC said in a settlement with the firm. A Phillip Capital representative did not return a call requesting comment.
The case, which stems from a February 2018 phishing attack, illustrates the vulnerability of financial services firms to cyber attacks and how lapses in following procedures for responding to a cyber attack can spur trouble with regulators.
PCI violated U.S. regulations by, among other things, failing to disclose the breach to customers, the CFTC said.
The penalty includes $1 million in restitution to the customer defrauded by the attack and a $500,000 penalty.
In the attack, PCI’s information technology engineer received an email from a hacked financial security company account, then entered login details in response, not knowing that cyber criminals would receive the information.
The criminals accessed employee email accounts that contained detailed customer information, the CFTC said.
Irregularities in the email system appeared the next day, but the engineer, whom the CFTC did not identify, did not reset the firm’s main password or tell employees or managers about the breach for another day.
On March 2, 2018, cyber criminals used information found in the emails to pose as a customer via another email and facilitate the transfer of $1 million to a Hong Kong bank.
PCI, part of Singapore-based Phillip Capital Group, learned about the transfer three days later, when the defrauded customer called to ask why $1 million had been wired from its account.
Employees did not consult or follow the firm’s security procedures after the attack, the CFTC said.
The agency found that PCI’s chief compliance officer was not familiar with technology or cyber security and could not adequately evaluate whether the firm’s cyber security policies and training were adequate, the CFTC said.
PCI has since notified customers about the breach and taken steps to improve its cyber security, the CFTC said.
Reporting by Suzanne Barlyn in New York; Editing by Matthew Lewis
Our Standards: The Thomson Reuters Trust Principles.