We saw several mistakes made by big companies in 2015. Companies can get away with complete disregard for proper security protocols for a short time until the right attacker finds their vulnerability. Such is the case for a St. Louis-based investment adviser who didn’t implement the right security to protect his customer’s personal identifiable information (PII).
SEC charged RT Jones with failing to protect its users’ data, and the result was that 100,000 customers lost their PII to a hacker. SEC has several guidelines and procedures that require registered investment firms to protect customer records. It claims that RT Jones disregarded these guidelines for almost four years.
RT Jones didn’t just violate one or two rules. It violated several. Here are few of SEC’s major points in the investigation:
- RT Jones stored private data on third-party web servers
- The web server was publicly accessible and a hacker breached the server in July 2013
- The firm did not review security guidelines and perform risk assessment periodically
- The firm discovered the breach and asked a firm in China to confirm the attack
- RT Jones addressed the issue and alerted its 100,000 customers
- To date, no customers have suffered financial loss
RT Jones’ biggest mistake was hosting PII on a public web server. SEC accused RT Jones of violating rule 30(a) of Regulations S-P under the Securities Act of 1933. RT Jones was issued a cease and desist. They did not confirm or deny the allegations but agreed to abide by the cease and desist and bring their data processing into regulatory status
Hackers have recently started attacking and targeting investment firms. Financial or investment institutions should be on high alert for any suspicious behavior. The only way to defend and even detect suspicious traffic patterns is to have the right security in place.
As more financial institutions lose money on breaches, SEC will continue to investigate and fine organizations that don’t properly protect their users’ data. 2015 saw several breaches in financial institution data, and SEC has made it clear that they will strive to improve security across investment and financial firms.
RT Jones is an example of a firm that could have avoided problems had it hired a consultant to help them review risk assessment and better secure their network before the financial breach occurred. It’s no longer acceptable for financial institutions to carelessly store personal information for its customers without the proper security.