We recently reminded you that hacked New York companies are increasingly at risk of fines from the New York Attorney General.

We broke the news that Dunkin is being sued by the NY AG for being hacked and then responding in a fraudulent and deceitful manner.

This past June the AG announced that New York based Bombas LLC agreed to $65,000 in penalties and implement a number of data security policies to resolve an investigation by the New York Attorney General’s Office into the breach of customer payment cards where the company failed to provide notice of the breach to 39,561 consumers for over three years. 

Now, Phillip Capital is faced with a CFTC fine of $1.5 million for not informing customers of a breach which took place in March of 2018. Yes, this is a fine from the Chicago Financial Trading Commission doing the fining but it is instructive for New York financial companies as well.

You may have noticed a recurring theme here.

The company is sanctioned for allowing cyber criminals to breach its email systems, access customer information, and successfully withdraw $1 million in PCI customer funds. PCI has also failed to disclose the cyber breach to its customers in a timely manner. Finally, PCI failed to supervise its employees with regard to cybersecurity policy and procedures, a written information systems security program (ISSP), and customer disbursements.

The incident occurred on February 28, 2018, when PCI’s IT Engineer received a phishing email from a hacked financial security organization account. The IT Engineer clicked on a PDF attachment to the email and entered login information for the PCI administrator’s email account in order to access the document. Thus, the employee unwittingly provided those credentials to cyber criminals, which they used to access the IT Engineer’s email account. The IT Engineer’s email account had administrator privileges, and the cyber criminals were able to use those privileges to access email accounts for PCI’ s co-CEO and various PCI finance employees as well.

The compromised email accounts contained customer information. The next day, the IT Engineer noticed that the email account had been added as a delegate to various PCI email accounts and removed the delegation. But the IT Engineer neither reset the email account’s password nor notified management.

On March 2, the IT Engineer saw that the delegation removed the day before had been restored; the IT Engineer then recognized that the email account had been compromised. At that point two days after the initial breach-the IT Engineer reset the email account’s password, informed management of the breach, and at their instruction, sent an email informing all PCI employees of the email breach and directing them to change their email passwords.

The co-CEOs ultimately determined not to inform their customers of the cybersecurity breach or the fraudulent wire transfer, and instead sent a non-specific warning to PCI customers about phishing schemes in general. From the outset, management made concerted efforts to keep the fact of the breach from its customers and the public, with one co-CEO directing staff in a company-wide email that “this is all confidential and no mention should be made outside the company – this is very important and could affect the company,” and separately asking the CCO to ask any customers who may have learned of the breach not to discuss it with others, as “it will only hurt our company for others to know and it to be talked about.”

How your organization can stay safe and reduce the risk of such a fine:

1) Determine if you are in possession of private information for New York residents, even if you are not conducting business in New York. This may be the opportunity to assess whether you need to retain this information for ongoing business purposes.

2) Ensure that you have administrative, technical, and physical safeguards in place that comply with the requirements of the SHIELD Act.

3) Develop, or revisit, internal policies for how the company will identify and respond to a data breach. Ensure that your employees understand the policies and that they are properly implemented and followed!

4) This is a good time to re-evaluate corporate cybersecurity – new attacks are launched constantly against organizations. We reported recently that a new IRS scam warning has been disseminated by the IRS – warning people to be careful not to click on emails from the organization as they are likely malicious messages disguised to look like they emanated from the agency.

5) Read cybersecurity essentials – a simple list which will help most organizations become far more secure.

6) Go to a phishing simulation vendor now and sign up for one of their offerings. Phishing Box, KnowBe4 and Phish360; are all great.

7) We also recommend you get a free evaluation of your cybersecurity risk from an MSP/MSSP immediately – they can also help you build in the needed compliance to reduce the risk of being fined