The SEC and Investment Adviser R.T. Jones (RTJ) came to an agreement last week regarding a breach that RTJ had.
R.T. Jones, an investment advisor in St. Louis with about 8,000 clients, has agreements with retirement plan administrators to offer investment advice to participants in those plans via the web.
To log in to the site the participant enters their name, date of birth and social security number, since that is all secret information (Hint: NOT!). In order to do that, the information for a hundred thousand POSSIBLE users was stored on the web server, unencrypted.
The web server, hosted at a third party, had administrative rights limited to two employees (that is a good move). Unfortunately, the server was hacked.
RTJ hired a forensics company to assess the damage. The investigators concluded that the hack came from multiple IP addresses in mainland China, but that the logs had been destroyed and therefore, there was no way to tell what the hackers took, if anything.
This wasn’t a great outcome, so RTJ hired another firm to see if they could provide a better assessment, but they could not. In the end, RTJ notified all 100,000 people that their information had been breached.
In hindsight it seems obvious that using your birth date and social as a login is not a great thing to do.
In addition, storing that data unencrypted was not wise, but since the administrative credentials got compromised, the outcome would have been the same whether it was encrypted or not.
The fact that they had information for all possible customers instead of only the few that chose to avail themselves of RTJ’s advice is also a problem.
As the SEC investigated, it turned out that RTJ did not have written security policies, did not conduct periodic risk assessments, did not use a firewall to protect the web server with the client data on it and other measures that would be reasonably expected.
In the end, the SEC sanctioned them, fined them $75,000 and issued a cease and desist regarding every violating rule 30 (a) of regulation S-P (safeguarding customer information).
While marketing people say that there is no such thing as bad publicity, this is probably an exception to that saying.
The bad news here is that 92,000 of the people who’s information was compromised were not even customers of RTJ. The plan administrators had provided that information to RTJ as a service to the participants.
Some attorneys are saying that this action along with issuing the risk alert that they issued last week marks a new age for the SEC and that they plan to more aggressively go after brokers and advisers that do not protect customer information.
Information for this post came from the SEC web site.