Welcome to NexusFi: the best trading community on the planet, with over 150,000 members Sign Up Now for Free
Genuine reviews from real traders, not fake reviews from stealth vendors
Quality education from leading professional traders
We are a friendly, helpful, and positive community
We do not tolerate rude behavior, trolling, or vendors advertising in posts
We are here to help, just let us know what you need
You'll need to register in order to view the content of the threads and start contributing to our community. It's free for basic access, or support us by becoming an Elite Member -- see if you qualify for a discount below.
-- Big Mike, Site Administrator
(If you already have an account, login at the top of the page)
This really bad. Unbelievable they would have things like passport scans that vulnerable.
"The day I became a winning trader was the day it became boring. Daily losses no longer bother me and daily wins no longer excited me. Took years of pain and busting a few accounts before finally got my mind right. I survived the darkness within and now just chillax and let my black box do the work."
It's one thing to patch a leaking boat; it's a required step, obviously. But the bigger question has to do with the absolutely appalling and amateur data security procedures AMP must have. Anything sensitive should be encrypted, so that even if the boat springs a leak (or a hacker gets in, or a disgruntled employee steals data), the stuff that leaks out is effectively useless (unless the encryption is compromised, of course).
In other words, if they had followed even the simplest and most basic of security protocols, then even the compromise of their entire database would not result in the loss of reasonably usable PII. Even an amateurish effort would have been a monumental improvement. AMP clearly must have done far less than the bare minimum, when most clients would expect their financial institutions to not seek the bare minimum in security.
It's easy to blame the third-party IT company and their shoddy backup practices. Their incompetence is staggering, but that seems like the molehill compared to the mountain of AMP's mistake. That ignores the bigger issue that sensitive data was left unencrypted and then was being stored and transmitted; the blame for that lies solely in AMP's lap, and it's not clear from this email that that was addressed in any way, shape, or form.
I am not sure what the legal requirements of AMP are.
I've seen prior breaches result in FBI investigations. Given the highly sensitive nature of the data contained in this breach, I would assume AMP would ask for all the resources available to them to determine who or if anyone else accessed this data prior to Chris.
They should also be forcefully resetting everyone's passwords to their portal systems, trading accounts, and anything else -- to ensure no one can use the plaintext passwords and login or place unauthorized trades.
AMP may have some sort of cyber insurance policy that would cover the costs involved in something like this. For example, if they choose to provide credit monitoring to all their customers to monitor for identity theft, or due to any legal action from customers.
I think in cases like this it's more a matter of commercial common sense than just legal obligations. If I were AMP I would do my utmost to reassure my customers that no data theft took place or, if it did, minimising the potential ramifications.
Anything short of that and it would be reasonable to assume a large portion of my customer base take their business elsewhere.
I agree that commercial common sense here is of prime importance. What this breach shows more than anything else is AMP's attitude about data security. What is worth highlighting is that this kind of breach of this kind of unprotected sensitive data does not occur by mere negligence; it's enabled because of a complete disregard and lack of care about even basic security. This breach doesn't just show that AMP made a mistake; it shows that they must not have given the slightest care to data security; not the slightest care. I would not want to do business with a broker that had that kind of attitude about my sensitive data, no matter how much they apologize or mend their ways.