NexusFi: Find Your Edge


Home Menu

 





AMP Trading data breach (70 gigs, ~100k files - customer data)


Discussion in Brokers

Updated
      Top Posters
    1. looks_one Big Mike with 9 posts (30 thanks)
    2. looks_two xplorer with 7 posts (5 thanks)
    3. looks_3 samsin78626 with 5 posts (0 thanks)
    4. looks_4 DeliberatingDinos with 4 posts (2 thanks)
      Best Posters
    1. looks_one Jigsaw Trading with 5 thanks per post
    2. looks_two Big Mike with 3.3 thanks per post
    3. looks_3 mattz with 3 thanks per post
    4. looks_4 rleplae with 3 thanks per post
    1. trending_up 29,442 views
    2. thumb_up 69 thanks given
    3. group 23 followers
    1. forum 54 posts
    2. attach_file 1 attachments




 
Search this Thread

AMP Trading data breach (70 gigs, ~100k files - customer data)

  #51 (permalink)
 
SMCJB's Avatar
 SMCJB 
Houston TX
Legendary Market Wizard
 
Experience: Advanced
Platform: TT and Stellar
Broker: Advantage Futures
Trading: Primarily Energy but also a little Equities, Fixed Income, Metals and Crypto.
Frequency: Many times daily
Duration: Never
Posts: 5,041 since Dec 2013
Thanks Given: 4,375
Thanks Received: 10,192

Thanks @Hood interesting email.

Made me wonder, has the security company that identified the weakness, while proclaiming to be helpful, actually committed a crime themselves?

Reply With Quote
Thanked by:

Can you help answer these questions
from other members on NexusFi?
Ninja Mobile Trader VPS (ninjamobiletrader.com)
Trading Reviews and Vendors
Online prop firm The Funded Trader (TFT) going under?
Traders Hideout
Deepmoney LLM
Elite Quantitative GenAI/LLM
NexusFi Journal Challenge - April 2024
Feedback and Announcements
Are there any eval firms that allow you to sink to your …
Traders Hideout
 
Best Threads (Most Thanked)
in the last 7 days on NexusFi
Get funded firms 2023/2024 - Any recommendations or word …
61 thanks
Funded Trader platforms
44 thanks
NexusFi site changelog and issues/problem reporting
24 thanks
GFIs1 1 DAX trade per day journal
22 thanks
The Program
19 thanks
  #52 (permalink)
 
rleplae's Avatar
 rleplae 
Gits (Hooglede) Belgium
Legendary Market Wizard
 
Experience: Master
Platform: NinjaTrader, Proprietary,
Broker: Ninjabrokerage/IQfeed + Synthetic datafeed
Trading: 6A, 6B, 6C, 6E, 6J, 6S, ES, NQ, YM, AEX, CL, NG, ZB, ZN, ZC, ZS, GC
Posts: 3,003 since Sep 2013
Thanks Given: 2,442
Thanks Received: 5,863


SMCJB View Post
Thanks @Hood interesting email.

Made me wonder, has the security company that identified the weakness, while proclaiming to be helpful, actually committed a crime themselves?

It for sure fuels the business of security & legal consultants,
it is not a wake-up call
i have been in this business (build a security scan lab for a big payment scheme)
(at that time i was CISA/CISSP/GIAC)

You have :
- script kidies
- wanna bees
- minimal guys
- industry standard guys
- the top of the top (you fall of your chair

One day i was asked to investigate an incident, how an external party could
have reconstruct a complex administrator password, in under 48 hours...
(logs showed it was even more like instantaneous...)
(which excludes brute force) Once you know the answer it's easy

To some extend, it's like trading...

This remembers me a famous quote of one of my mentors :
"If you see somebody swimming in a problem, let him swim..."

The quote is 30 y/o, but still valid...

Follow me on Twitter Visit my NexusFi Trade Journal Reply With Quote
Thanked by:
  #53 (permalink)
 
Big Mike's Avatar
 Big Mike 
Manta, Ecuador
Site Administrator
Developer
Swing Trader
 
Experience: Advanced
Platform: Custom solution
Broker: IBKR
Trading: Stocks & Futures
Frequency: Every few days
Duration: Weeks
Posts: 50,399 since Jun 2009
Thanks Given: 33,175
Thanks Received: 101,541


RELEASE: pr7693-18

February 12, 2018

CFTC Orders AMP Global Clearing LLC to Pay $100,000 for Supervision Failures Related to Cybersecurity of its Customers’ Records and Information

Washington, DC*– The Commodity Futures Trading Commission (CFTC) today issued an Order filing and simultaneously settling charges against*AMP Global Clearing LLC*(AMP), a registered Futures Commission Merchant since 2010, for its failure between June 21, 2016 and April 17, 2017 to supervise diligently the implementation of critical provisions in AMP’s information systems security program (ISSP). As a result of this failure, a significant amount of AMP’s customers’ records and information were left unprotected for nearly ten months. In April 2017, as a result of this failure, a third party unaffiliated with AMP (Third Party) accessed AMP’s information technology network and copied approximately 97,000 files, which included customers’ records and information, including personally identifiable information. The Third Party thereafter contacted federal authorities about securing the copied information, and subsequently informed AMP that the copied information had been secured and was no longer in the Third Party’s possession. After becoming aware of the vulnerability and unauthorized access, AMP cooperated with the CFTC and worked diligently to remediate the issue.

CFTC’s Director of Enforcement Comments

James McDonald, the CFTC’s Director of Enforcement, commented: “Entities entrusted with sensitive information must work diligently to protect that information. That’s not only good business, but when it comes to registrants in our markets, it’s the law. As this case shows, the CFTC will work hard to ensure regulated entities live up to that responsibility, which has taken on increasing importance as cyber threats extend across our financial system.”

Specifically, the Order finds that AMP failed to supervise its IT Provider’s implementation of ISSP provisions it was delegated with implementing under AMP’s supervision, including identifying and performing risk assessments of access routes into AMP’s network, performing quarterly network risk assessments to identify vulnerabilities, maintaining strict firewall rules, and detecting unauthorized activity on the network. This failure left a significant amount of AMP’s customers’ records and information vulnerable to cyber-exploitation for nearly ten months, until the Third Party accessed AMP’s network.

The Order finds that the vulnerability in AMP’s network involved an open access route in a network attached storage device (NASD). Three successive quarterly network risk assessments failed to identify this vulnerability. Indeed, the Order finds that, before the Third Party accessed the NASD’s contents, the media had reported three other incidents of unauthorized access of NASDs used by organizations other than AMP, including some from the same manufacturer of AMP’s NASD. Yet AMP did not detect the vulnerability until its network was accessed and customer records and information compromised.

The Order requires AMP to pay a $100,000 civil monetary penalty and cease and desist from violating the CFTC regulation governing diligent supervision. The Order further requires AMP to provide two written follow-up reports, within one-year of entry of the Order, to the CFTC verifying AMP’s ongoing efforts to maintain and strengthen the security of its network and its compliance with its ISSP’s requirements.

The Order recognizes AMP’s substantial cooperation and remediation during the CFTC’s Division of Enforcement’s investigation of this matter, which included providing important information and analysis to the Division that helped the Division to efficiently and effectively undertake its investigation. The Order notes that the civil monetary penalty imposed on AMP reflects AMP’s cooperation.

The CFTC thanks the Securities and Exchange Commission for its assistance in this matter.

Jeremy Christianson and Christopher Beatty from the CFTC’s Office of Data and Technology also provided assistance in this matter.

CFTC Division of Enforcement staff members responsible for this action are Harry E. Wedewer, Trevor Kokal, Candice Aloisi, Lenel Hickson, Jr., and Manal M. Sultan.

Media Contact
Dennis Holden
202-418-5088

Last Updated: February 12, 2018


https://www.cftc.gov/PressRoom/PressReleases/pr7693-18


Sent using the NexusFi mobile app

We're here to help: just ask the community or contact our Help Desk

Quick Links: Change your Username or Register as a Vendor
Searching for trading reviews? Review this list
Lifetime Elite Membership: Sign-up for only $149 USD
Exclusive money saving offers from our Site Sponsors: Browse Offers
Report problems with the site: Using the NexusFi changelog thread
Follow me on Twitter Visit my NexusFi Trade Journal Started this thread Reply With Quote
Thanked by:
  #54 (permalink)
 
rleplae's Avatar
 rleplae 
Gits (Hooglede) Belgium
Legendary Market Wizard
 
Experience: Master
Platform: NinjaTrader, Proprietary,
Broker: Ninjabrokerage/IQfeed + Synthetic datafeed
Trading: 6A, 6B, 6C, 6E, 6J, 6S, ES, NQ, YM, AEX, CL, NG, ZB, ZN, ZC, ZS, GC
Posts: 3,003 since Sep 2013
Thanks Given: 2,442
Thanks Received: 5,863

Thanks @Big Mike for posting/sharing

Peanuts compared to what a 'card replacement fee' would look like

A card replacement fee, is a financial compensation, that an issuer and the card network will impose to an acquirer or a merchant bank, if sensitive card details would be stolen. The card replacement fee allows the issuers and the scheme to issue new cards to the customers and block stolen cards (add to black list)

A card replacement fee is +/- 20$ per customer

The report talks about files and not about individual customers..
It also does not allow to estimate the monetary value of the breach.

In my feeling 100K$ is low... in this case, very low, for a party like AMP that does not hurt them
a fine should have a function of 'hurting', to avoid repeat in history
like if you drive intoxicated, 200$ does not hurt, 3 months driver license revocation hurts more
in case of Finland it's a function of your net income, and then it can really hurt you big time !!

just my impression

In Europe things are quickly changing with a standard commonly known as GDRP

On privacy EU has always been light years ahead of US

Follow me on Twitter Visit my NexusFi Trade Journal Reply With Quote
Thanked by:
  #55 (permalink)
 
Fu510n's Avatar
 Fu510n 
Suffield, CT
 
Experience: Advanced
Platform: MC, TS, Python, Rust
Broker: IB, IQFeed, TS, Kraken
Trading: ES, NQ, RTY, YM, CL, RB, 6E
Frequency: Several times daily
Duration: Seconds
Posts: 144 since Oct 2009
Thanks Given: 902
Thanks Received: 143

Makes me wonder how many brokerages go through the cost/aggravation of maintaining PCI/DSS certification. As an Operations manager for a payments company that goes through this every year, I can attest that it's no simple (or cheap) exercise but I sure wouldn't want to be using anyone who WASN'T certified.

My .02,
-Guy

Follow me on Twitter Reply With Quote
Thanked by:




Last Updated on May 31, 2018


© 2024 NexusFi™, s.a., All Rights Reserved.
Av Ricardo J. Alfaro, Century Tower, Panama City, Panama, Ph: +507 833-9432 (Panama and Intl), +1 888-312-3001 (USA and Canada)
All information is for educational use only and is not investment advice. There is a substantial risk of loss in trading commodity futures, stocks, options and foreign exchange products. Past performance is not indicative of future results.
About Us - Contact Us - Site Rules, Acceptable Use, and Terms and Conditions - Privacy Policy - Downloads - Top
no new posts