More Lessons on Cyber Control Failures
We have another glimpse into modern cybersecurity threats and the control weaknesses that allow those threats to happen, courtesy of an enforcement action against a financial services firm that twice was duped by hackers into selling their customers’ assets.
The financial services firm is Equiniti Trust Co., a registered transfer agent — that is, a firm that holds shares for other companies and acts as a go-between for those companies and their shareholders. Registered transfer agents must follow strict rules from the Securities and Exchange Commission about how to protect their clients assets, and this week the SEC fined Equiniti (until recently known as American Stock Transfer and Trust Co.) $850,000 for failing to meet those standards.
In brief, what happened is this. Equiniti suffered one cyber attack in 2022 and another in 2023, and on both occasions the attackers exploited poor control design to fool Equiniti employees into liquidating a total of $6.6 million in customer assets and sending those proceeds to overseas bank accounts. Equiniti and its bankers did manage to recover some of the money, but not all; and the SEC settlement order offers some valuable lessons to IT auditors, CISOs, risk managers, and anyone else concerned with developing strong cybersecurity controls to keep corporate assets safe.
The First Attack
The first attack against Equiniti happened in September 2022. That’s when some hacker out there (we don’t know who) snuck into an existing email chain between Equiniti and one of its corporate clients. The hacker essentially hijacked that conversation, pretending to be the corporate client. He then instructed Equiniti to issue millions of new shares, sell them on the public market, and send the proceeds to a bank account in Hong Kong.
Equiniti did this over the course of several weeks. It first issued 5.3 million new shares, then had a broker-dealer firm sell 3.3 million of them for a total of $4.78 million. Then, per the hacker-posing-as-client’s instructions, Equiniti sent that $4.78 million to the Hong Kong account.
The scheme wasn’t discovered until two months later, when the client company eventually noticed that its number of shares outstanding in the market didn’t match its internal records. Equiniti launched an investigation and recovered $1 million from Hong Kong, but the other $3.78 million was apparently long gone. (Equiniti reimbursed the corporate client for the difference.)
Analysis. This attack is known as a man-in-the-middle (MitM) attack, where the hacker intercepts an ongoing conversation and fools one side into thinking it’s talking with the other side. Then the attacker gets one side to do something it wouldn’t normally do, like sell millions of shares and forward the proceeds to a foreign country.
We don’t know how the attacker inserted himself into that email conversation. What’s more interesting, however, is that Equiniti did at least try to train its employees to beware of attacks like this — but those efforts weren’t enough to meet the SEC’s satisfaction.
For example, earlier that year, Equiniti’s cybersecurity folks did send employees an email warning them about an industry-wise increase in fraud attacks. That warning specifically mentioned fraudulent wire transfer requests sent by email, and never to rely on a client’s emailed request alone; always call the client by phone to confirm the request verbally.
Sending a warning like that to employees is a good step to support the control environment (“heads up, folks; we need to beware of security threats”), and the specific procedure recommended (verify wire transfer requests by phone) was a good control activity. But Equiniti did not take additional steps to confirm that employees took those messages to heart. For example, Equiniti didn’t confirm that employees actually read its warning email, provide any training on the subject, or confirm the phone call-backs were being made.
So Equiniti took a stab at establishing a strong control environment, but didn’t follow up to enforce that environment.
The Second Attack
Equiniti suffered a separate attack in April 2023. In that episode, the attacker used a “synthetic identity” — that is, a real Social Security number he obtained on the dark web somewhere, plus a fabricated name, address, and other details. The attacker then posed as an individual Equiniti customer looking to buy shares of Equiniti’s corporate clients.
The flaw here was that Equiniti’s customer platform connected all of a customer’s accounts based only on that customer’s Social Security number. So if you were a legitimate Equiniti customer and I knew your Social Security number, I could create an account with my name and address but your SSN, and then I’d get to see all your accounts.
Well, that’s exactly what this hacker did. He created multiple fake accounts using real Social Security numbers, which gave him access to those legitimate users’ accounts. Over a period of several weeks he then liquidated $1.9 million of the victims’ assets, wiring the proceeds to outside accounts.
One of the processing banks flagged the transactions as suspicious, and soon enough Equiniti pulled back $1.6 million of the stolen funds. But Equiniti also had to shut down its online portal and rely on telephone orders for four months, while the company overhauled its access controls so Social Security numbers were no longer the skeleton key that allowed somebody to see all of a user’s accounts.
Analysis. The issue here was faulty control design. Equiniti had designed its access controls so that by default its platform relied on only one factor (a Social Security number) to let someone see all of a user’s accounts. In the modern era, where hackers can easily obtain at least one legitimate factor about pretty much anybody, that’s no longer sufficient. Corporations need to weave multi-factor authentication into the design of their access controls, and they need to do that all over the place.
This should not be news to corporations overall, and financial firms in particular. Plenty of regulators have sanctioned some company or another for failing to implement multi-factor authentication: the Federal Trade Commission, the New York Department of Financial Services, FINRA (the regulator for broker-dealers), and even the SEC itself.
The question for internal auditors, cybersecurity teams, and compliance officers is how to create a process for designing internal controls that reflects those modern cybersecurity expectations — one that can identify weaknesses such poor access control, which might also be compliance violations along the way.
For its part, Equiniti did hire a chief control officer as part of its remediation, which is exactly the sort of role that could (with the right GRC tools) identify those weaknesses and get them fixed. The company also hired a cybersecurity consulting firm to do a complete review of its systems, and reimbursed the victims for their money lost.
Still, all those measures and Equiniti reverting to a telephone order system for four months (what is this, 1995?) — that’s an expensive way to learn the lessons here. The rest of us should take the cheap route and learn from Equiniti’s missteps.