Welcome to NexusFi: the best trading community on the planet, with over 150,000 members Sign Up Now for Free
Genuine reviews from real traders, not fake reviews from stealth vendors
Quality education from leading professional traders
We are a friendly, helpful, and positive community
We do not tolerate rude behavior, trolling, or vendors advertising in posts
We are here to help, just let us know what you need
You'll need to register in order to view the content of the threads and start contributing to our community. It's free for basic access, or support us by becoming an Elite Member -- see if you qualify for a discount below.
-- Big Mike, Site Administrator
(If you already have an account, login at the top of the page)
It for sure fuels the business of security & legal consultants,
it is not a wake-up call
i have been in this business (build a security scan lab for a big payment scheme)
(at that time i was CISA/CISSP/GIAC)
You have :
- script kidies
- wanna bees
- minimal guys
- industry standard guys
- the top of the top (you fall of your chair
One day i was asked to investigate an incident, how an external party could
have reconstruct a complex administrator password, in under 48 hours...
(logs showed it was even more like instantaneous...)
(which excludes brute force) Once you know the answer it's easy
To some extend, it's like trading...
This remembers me a famous quote of one of my mentors :
"If you see somebody swimming in a problem, let him swim..."
CFTC Orders AMP Global Clearing LLC to Pay $100,000 for Supervision Failures Related to Cybersecurity of its Customers’ Records and Information
Washington, DC*– The Commodity Futures Trading Commission (CFTC) today issued an Order filing and simultaneously settling charges against*AMP Global Clearing LLC*(AMP), a registered Futures Commission Merchant since 2010, for its failure between June 21, 2016 and April 17, 2017 to supervise diligently the implementation of critical provisions in AMP’s information systems security program (ISSP). As a result of this failure, a significant amount of AMP’s customers’ records and information were left unprotected for nearly ten months. In April 2017, as a result of this failure, a third party unaffiliated with AMP (Third Party) accessed AMP’s information technology network and copied approximately 97,000 files, which included customers’ records and information, including personally identifiable information. The Third Party thereafter contacted federal authorities about securing the copied information, and subsequently informed AMP that the copied information had been secured and was no longer in the Third Party’s possession. After becoming aware of the vulnerability and unauthorized access, AMP cooperated with the CFTC and worked diligently to remediate the issue.
CFTC’s Director of Enforcement Comments
James McDonald, the CFTC’s Director of Enforcement, commented: “Entities entrusted with sensitive information must work diligently to protect that information. That’s not only good business, but when it comes to registrants in our markets, it’s the law. As this case shows, the CFTC will work hard to ensure regulated entities live up to that responsibility, which has taken on increasing importance as cyber threats extend across our financial system.”
Specifically, the Order finds that AMP failed to supervise its IT Provider’s implementation of ISSP provisions it was delegated with implementing under AMP’s supervision, including identifying and performing risk assessments of access routes into AMP’s network, performing quarterly network risk assessments to identify vulnerabilities, maintaining strict firewall rules, and detecting unauthorized activity on the network. This failure left a significant amount of AMP’s customers’ records and information vulnerable to cyber-exploitation for nearly ten months, until the Third Party accessed AMP’s network.
The Order finds that the vulnerability in AMP’s network involved an open access route in a network attached storage device (NASD). Three successive quarterly network risk assessments failed to identify this vulnerability. Indeed, the Order finds that, before the Third Party accessed the NASD’s contents, the media had reported three other incidents of unauthorized access of NASDs used by organizations other than AMP, including some from the same manufacturer of AMP’s NASD. Yet AMP did not detect the vulnerability until its network was accessed and customer records and information compromised.
The Order requires AMP to pay a $100,000 civil monetary penalty and cease and desist from violating the CFTC regulation governing diligent supervision. The Order further requires AMP to provide two written follow-up reports, within one-year of entry of the Order, to the CFTC verifying AMP’s ongoing efforts to maintain and strengthen the security of its network and its compliance with its ISSP’s requirements.
The Order recognizes AMP’s substantial cooperation and remediation during the CFTC’s Division of Enforcement’s investigation of this matter, which included providing important information and analysis to the Division that helped the Division to efficiently and effectively undertake its investigation. The Order notes that the civil monetary penalty imposed on AMP reflects AMP’s cooperation.
The CFTC thanks the Securities and Exchange Commission for its assistance in this matter.
Jeremy Christianson and Christopher Beatty from the CFTC’s Office of Data and Technology also provided assistance in this matter.
CFTC Division of Enforcement staff members responsible for this action are Harry E. Wedewer, Trevor Kokal, Candice Aloisi, Lenel Hickson, Jr., and Manal M. Sultan.
Peanuts compared to what a 'card replacement fee' would look like
A card replacement fee, is a financial compensation, that an issuer and the card network will impose to an acquirer or a merchant bank, if sensitive card details would be stolen. The card replacement fee allows the issuers and the scheme to issue new cards to the customers and block stolen cards (add to black list)
A card replacement fee is +/- 20$ per customer
The report talks about files and not about individual customers..
It also does not allow to estimate the monetary value of the breach.
In my feeling 100K$ is low... in this case, very low, for a party like AMP that does not hurt them
a fine should have a function of 'hurting', to avoid repeat in history
like if you drive intoxicated, 200$ does not hurt, 3 months driver license revocation hurts more
in case of Finland it's a function of your net income, and then it can really hurt you big time !!
just my impression
In Europe things are quickly changing with a standard commonly known as GDRP
On privacy EU has always been light years ahead of US
Makes me wonder how many brokerages go through the cost/aggravation of maintaining PCI/DSS certification. As an Operations manager for a payments company that goes through this every year, I can attest that it's no simple (or cheap) exercise but I sure wouldn't want to be using anyone who WASN'T certified.