Financial asset firm PCI ordered to pay $1.5 million for poor cybersecurity practices

Phillip Capital Inc. has been penalized for a data breach and failing to disclose the incident to clients quickly.
Written by Charlie Osborne, Contributing Writer

Phillip Capital Inc. (PCI) has been fined $1.5 million by the US Commodity Futures Trading Commission (CFTC) for "allowing" a data breach to occur and failing to alert its customers in a reasonable timeframe.

The CFTC said last week that the Chicago, Illinois-based firm will pay a penalty of $500,000 and $1 million in restitution to settle charges that the firm failed to protect its systems from cybersecurity threats. 

PCI is a privately-held Futures Commission Merchant (FCM) that offers a range of financial services to clients worldwide. The FCM claims shareholder equity of over $1 billion and the management of assets of over $30 billion. 

In February 2018, an engineer employed by PCI received an email from a compromised financial security company account. Unaware that a security incident had taken place, the engineer handed over a set of login details that were later used to access staff email accounts containing client data. 

See also: Pen test goes pear-shaped: cybersecurity firm staff arrested over courthouse burglary

As reported by Reuters, odd behavior was noted in PCI's email system but the staff member waited a day before informing managers about a potential data breach. 

A month later, the threat actors responsible used the information they obtained to pose as a customer and were able to facilitate the fraudulent transfer of $1 million to a bank account located in Hong Kong. 

The impacted client found out about the transfer three days later. 

CNET: Snowden: Jury should decide whether NSA leaks were "right or wrong."

The CFTC said that the financial services company not only failed to inform customers of the security lapse in a timely fashion, but also that employees were not adequately trained or informed of cybersecurity policies and procedures. 

PCI did, however, reimburse the victim and has since taken steps to improve its cybersecurity posture. The company is now required to provide reports to the US agency of its progress. 

"Cybercrime is a real and growing threat in our markets," said CFTC Director of Enforcement James McDonald.  "While it may not be possible to eliminate all cyber threats, CFTC registrants must have adequate procedures in place -- and follow those procedures -- to protect their customers and their accounts from potential harm."

TechRepublic: What's powering the unlikely rise of the millionaire hacker?

Businesses, especially when they act as custodians for sensitive client data -- whether financial or medical -- must take cyberthreats seriously. PCI may have walked away with a relatively light penalty for allowing this to occur, considering that the consequences could have been far more damaging if more than one client had been targeted. 

If the FCM had been based in Europe, for example, fines imposed by authorities could have been higher. Under the terms of the EU's General Data Protection Regulation (GDPR), penalties of up to €20 million or 4 percent of annual global turnover can be issued for failures to adequately protect data. 

PCI has not responded to requests for comment at the time of writing. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards