Eight US financial services firms given six-figure fines over BEC data breaches

Thousands of victims involved as separate report warns of wider rise in brute-force attacks against accounts

The US Securities and Exchange Commission (SEC) has sanctioned multiple financial services firms for cybersecurity failures that led to the compromise of corporate email accounts and the personal data of thousands of individuals.

The case was brought after the unauthorized takeover of cloud-based email accounts at Seattle-based KMS Financial Services, and subsidiaries of California-headquartered Cetera Financial Group and Iowa-based Cambridge Investment Group.

INSIGHT Credential stuffing attacks: How to protect your accounts from being compromised

The Cetera entities in question are Cetera Advisor Networks, Cetera Investment Services, Cetera Financial Specialists, Cetera Advisors, and Cetera Investment Advisers.

The Cambridge entities involved in the business email compromise (BEC) investigation included Cambridge Investment Research and Cambridge Investment Research Advisors.

Financial penalties

Without admitting or denying the charges, all eight investment advisory or broker dealer firms “agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty”, the SEC said in a press release issued on Monday (August 30).

The Cetera entities will pay $300,000, Cambridge will pay $250,000, and KMS Financial Services will pay $200,000.

The email account takeovers exposed personally identifying information related to at least 4,388 Cetera customers and clients via more than 60 compromised employee accounts between November 2017 and June 2020.

The data of more than 2,100 Cambridge customers and clients may have been compromised via more than 121 compromised email accounts between January 2018 and July 2021, and for KMS this was around 4,900 customers via 15 compromised email accounts between September 2018 and December 2019.

Security shortcomings

The SEC said Cetera Advisors and Cetera Investment Advisers sent breach notifications to clients that misleadingly suggested the notifications had been issued “much sooner” than was the case.

It also found that Cambridge Investment Group failed to bolster the security of cloud-based email accounts after discovering the first email account takeover in January 2018.

And the SEC censured KMS for failing “to adopt written policies and procedures requiring additional firm-wide security measures until May 2020”, or fully implementing them until August 2020.

Read more of the latest social engineering news and attacks

“Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information,” said Kristina Littman, chief of the SEC enforcement division's cyber unit.

“It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

Brute-force boom

The SEC sanctions coincided with related news of a spike in brute-force attacks, whereby various credential permutations are automatically and rapidly fed into targeted account login pages.

According to Abnormal Security’s Q3 2021 Email Threat Report, incidences of such attacks jumped 671% week-on-week in the week beginning June 6, 2021, with 32.5% of organizations in a range of sectors subject to brute-forcing attempts.

Researchers also saw a significant increase in phishing attacks designed to steal credentials, which accounted for 73% of all ‘advanced’ threats over the quarter.

The report additionally found that 137 of 100,000 mailboxes belonging to company executives were taken over in the second quarter of 2021.

With these socially engineered attacks readily evading “secure email gateways and other traditional email infrastructure”, Abnormal Security CEO Evan Reiser urged organizations “to comprehensively understand employee and vendor identities, their relationships, all with deep context, including content and tone to baseline good behavior”.

READ MORE Microsoft Exchange Server had ‘ProxyToken’ vulnerability that leaked incoming emails