Policy

Shareholder-tracking company Equiniti shells out $850K to SEC over breaches

According to the Securities and Exchange Commission, the company’s failures led to the loss of $6.6 million in client funds.

By Tim Starks

August 22, 2024

Traders work on the floor of the New York Stock exchange during morning trading on Nov. 10, 2023 in New York City. (Photo by Michael M. Santiago/Getty Images)

A company that manages registered shareholders for stock-issuing companies agreed to pay $850,000 under a settlement with the Securities and Exchange Commission over breaches in 2022 and 2023 that the commission said led to the loss of $6.6 million in client funds.

The SEC said that in 2022 an unknown attacker hijacked an email chain between a client and Equiniti, formerly known as American Stock Transfer, and fooled the firm into transferring nearly $4.8 million to Hong Kong bank accounts. In 2023, according to the agency, another unknown attacker created fake accounts that linked to real client accounts and then transferred $1.9 million to external bank accounts.

In the second case, the attacker was able to make the transfers “even though the names and other personal information associated with the fraudulent accounts did not match those of the legitimate accounts,” according to the SEC. Stolen Social Security numbers abetted the theft.

“American Stock Transfer failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets,” Monique C. Winkler, director of the SEC’s San Francisco regional office, said in a statement this week. “As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets.”

Equiniti was able to recover funds in both incidents — $1 million and $1.6 million respectively.

“The SEC was satisfied with the swift and decisive actions taken by Equiniti, which included making all client and shareholders whole, and this settlement concludes its investigation,” the company said in a statement to CyberScoop. “Equiniti has and continues to make significant investments into its business and technology to ensure client and shareholder assets are well protected from fraudulent activity.”

The SEC has stepped up its regulation and scrutiny of cyber. Last month, though, a judge threw out most of the agency’s case against SolarWinds over allegedly misleading statements about the security of its Orion software surrounding the landmark breach of that company.

This story was updated Aug. 22, 2024, with comments from Equiniti.