[TheRecord] SEC fines three companies over hacked employee email accounts

The US Securities and Exchange Commission has fined three brokerage firms on Monday for neglecting to secure employee accounts, incidents that led to the exposure of their customers’ data.

Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS) all settled with the SEC in three separate lawsuits [PDF: CeteraCambridgeKMS], the agency announced this week.

According to court documents, the three companies were hacked multiple times between 2017 and 2020, hid the intrusions, and failed to properly notify customers.


60 Cetera employees had cloud-based email accounts hacked between November 2017 and June 2020.The accounts exposed the data of at least 4,388 of its customers.The company used misleading language in its customer notification to suggest the notifications were issued sooner than they actually were.


121 Cambridge employees had cloud-based email accounts hacked between January 2018 and July 2021.Hacks exposed the data of 2,177 Cambridge customers.The company improved security only in 2021, despite the earlier hacks.


15 KMS employees had cloud-based email accounts hacked between September 2018 and December 2019.Hacks exposed the data of approximately 4,900 customers.SEC says KMS took months to bolster security measures, a process that started two years after the first hack, in May 2020, and finished in August of the same year.

The SEC said the three companies broke Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which requires companies to protect confidential customer information from hacks or accidental data leaks.

“Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit.

“It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

According to the settlements, the three companies also agreed to pay fines. Cetera will pay $300,000, Cambridge will pay $250,000, and KMS will pay $200,000, the SEC said.

The post SEC fines three companies over hacked employee email accounts appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] Phishers impersonate US DOT to target contractors after Senate passed $1 trillion infrastructure bill

All posts, ZDNet

The attackers were trying to harvest Microsoft Office 365 credentials, according to INKY. Source: Read More (Latest topics for ZDNet in Security)

Read More

Daily NCSC-FI news followup 2020-01-01

Chrome extension caught stealing crypto-wallet private keys www.zdnet.com/article/chrome-extension-caught-stealing-crypto-wallet-private-keys/ A Google Chrome extension was caught injecting JavaScript code on web pages to steal passwords and private keys from cryptocurrency wallets and cryptocurrency portals.

Read More

[TheRecord] DOJ launches program to train prosecutors in cybersecurity topics

The US Department of Justice announced a new fellowship program today designed to train “a new generation of prosecutors and attorneys” on cybersecurity issues, in order to better tackle national security threats and cybercrime. Named the Cyber Fellowship, the new program is one of the outcomes of a 120-day review of cybersecurity challenged the DOJ began in May […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.