Equiniti settles SEC charges stemming from a pair of cyber intrusions
The attacks
The SEC said that in the first attack in September 2022, a threat actor hijacked an email chain between the company, then known as American Stock Transfer & Trust Company, and one of its clients, pretending to be an employee of the client company, instructed American Stock Transfer to issue millions of new shares in the client company, liquidate them, and transfer the approximately $4.78 million in proceeds to Hong Kong bank accounts. Only about $1 million was recovered.
In the second, unrelated attack in April 2023, an attacker used stolen Social Security numbers (SSNs) belonging to American Stock Transfer customers, stolen from an unknown source, to create fake accounts. American Stock Transfer’s systems automatically linked these accounts to the legitimate user’s real account based solely on the SSN, even though other personal information attached to the accounts didn’t match. The attacker used that access to liquidate the clients’ securities, transferring out approximately $1.9 million. Of that, about $1.6 million was recovered.
The penalties
To settle the charges, Equiniti agreed to pay a civil penalty of $850,000. In addition, the SEC said in a release, “The SEC’s order finds that Equiniti violated Section 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12 thereunder. In addition to the civil penalty referenced above, Equiniti agreed to a cease-and-desist order and censure.”