[TheRecord] SEC fines three companies over hacked employee email accounts

The US Securities and Exchange Commission has fined three brokerage firms on Monday for neglecting to secure employee accounts, incidents that led to the exposure of their customers’ data.

Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS) all settled with the SEC in three separate lawsuits [PDF: CeteraCambridgeKMS], the agency announced this week.

According to court documents, the three companies were hacked multiple times between 2017 and 2020, hid the intrusions, and failed to properly notify customers.


60 Cetera employees had cloud-based email accounts hacked between November 2017 and June 2020.The accounts exposed the data of at least 4,388 of its customers.The company used misleading language in its customer notification to suggest the notifications were issued sooner than they actually were.


121 Cambridge employees had cloud-based email accounts hacked between January 2018 and July 2021.Hacks exposed the data of 2,177 Cambridge customers.The company improved security only in 2021, despite the earlier hacks.


15 KMS employees had cloud-based email accounts hacked between September 2018 and December 2019.Hacks exposed the data of approximately 4,900 customers.SEC says KMS took months to bolster security measures, a process that started two years after the first hack, in May 2020, and finished in August of the same year.

The SEC said the three companies broke Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which requires companies to protect confidential customer information from hacks or accidental data leaks.

“Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit.

“It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

According to the settlements, the three companies also agreed to pay fines. Cetera will pay $300,000, Cambridge will pay $250,000, and KMS will pay $200,000, the SEC said.

The post SEC fines three companies over hacked employee email accounts appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ESET] Rom‑con: How romance fraud targets older people and how to avoid it

All posts, ESET feed

Online dating scams often follow the same script – here’s what senior citizens should watch out for and how their younger relatives can help them avoid falling victim The post Rom‑con: How romance fraud targets older people and how to avoid it appeared first on WeLiveSecurity Source: Read More (WeLiveSecurity)

Read More

[ZDNet] What, exactly, is cybersecurity? And why does it matter?

All posts, ZDNet

Cyberattacks steal data and cause millions in economic costs. Learn what cybersecurity professionals do and how to protect your data with our guide. Source: Read More (Latest topics for ZDNet in Security)

Read More

Daily NCSC-FI news followup 2020-09-18

RampantKitten: An Iranian Surveillance Operation unraveled blog.checkpoint.com/2020/09/18/rampantkitten-an-iranian-surveillance-operation-unraveled/ Check Point Research has unraveled an ongoing surveillance operation by Iranian entities that has been targeting Iranian expats and dissidents for years. While some individual sightings of this attack were previously reported by other researchers and journalists, our investigation allowed us to connect the several different campaigns and […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.