Welcome to NexusFi: the best trading community on the planet, with over 150,000 members Sign Up Now for Free
Genuine reviews from real traders, not fake reviews from stealth vendors
Quality education from leading professional traders
We are a friendly, helpful, and positive community
We do not tolerate rude behavior, trolling, or vendors advertising in posts
We are here to help, just let us know what you need
You'll need to register in order to view the content of the threads and start contributing to our community. It's free for basic access, or support us by becoming an Elite Member -- see if you qualify for a discount below.
-- Big Mike, Site Administrator
(If you already have an account, login at the top of the page)
I don't think the problem is about what kind of documentation to use to authenticate identities. Sometimes an organization requires a specific document type for operational reasons and there's little recourse to that.
I believe the issue has to do with leaving sensitive data such as passport scans or social security numbers unencrypted.
Thanks for your comments Pete. I agree with what you're saying. I think we are on a different page here though. There seems to have been a bit of conflict over whether the info has been made public on the net or if the vulnerability had been patched before customers were alerted as well as whether the info was in plain text as initially indicated or encrypted as per AMP's notice. I may have been a bit presumptive as to what the situation was early on.
I understand that there will always be vulnerabilities in software and hardware. There always has been. But my point really is why many of these companies it seems stores so much of our sensitive information unencrypted. Maybe I'm making assumptions again. Maybe I'm just a little cynical. Perhaps it comes down to a commercial decision, ie adding added layers of complexity and cost. I guess being in the vendor game yourself you would have a better insight than most.
I got an answer from AMP and this was the case. Still I think it was not their intention to use these "dubbed" links becuase they generate security alerts in customer end.
So no phishing here and it looks everything was ok.
As you were informed in that notice, a well-known Cybersecurity research company had reached out to us to alert us about a possible vulnerability in one in-house back-up file storage server. There was only one server of this type on our network and only this server has an apparently open design flaw. Since AMP had not authorized anyone else’s entry into its systems, we took immediate steps to secure our customers data. We took care to follow our Cybersecurity procedures which have previously been reviewed by our industry regulators as well as federal government agencies.
AMP has confirmed that no one other than the research company accessed the database:
Due to the nature of the access, AMP has been able to determine only one instance of outside access to the server through a thorough examination of the server logs. This access was traced directly to the point the security firm contacted AMP. The backdoor this research company exposed is an app that allows access to the server. This access leaves a definitive trace log, and is the only way into the server without authorization. AMP’s IT providers studied the trace logs and confirmed there was only one access that was unaccounted for, which was the research company’s activity. Hence, we have an account of all of the traffic to the server. At no point prior to the research company gaining access did any other entry occur. Therefore, we can say with certainty that only the research company’s access was successful, and hence our customer data was not accessed by anyone else.
The contents of the database that the research company was able to access:
The database that this research company was able to access includes but is not limited to account opening documentation done on paper only, of accounts that opened before October 2010 and 1099 tax documents of US customers from 2015 and before, which qualifies as Personal Identifying Information. However, we have been reassured that this research company has taken steps to keep the data secure and encrypted. The research company has stated that they are working with the SEC and will follow instructions from them regarding the fate of the data they were able to access. AMP is working with federal authorities to ensure that our customer data is safe and secure and will not be used for unlawful purposes such as identity theft.
Data is not accessible to the public
We have no evidence that suggests that personal information accessed by the research company from the database has been or will be used to commit identity theft. On the contrary, it is our belief that this research company is on a mission to make the world of cyberspace a safer place. To be clear, that access was limited to our back-up file storage server, that has a design flaw which the research company knows and understands well. We took their guidance as well as our own IT providers to block access to the server and take it off line. There was no access to the AMP Customer Portal, Customer funds, and no access to any of the trading platforms networks.
Subsequent actions by AMP
The access into the back-up file storage server was quickly determined and that access blocked, and very soon thereafter we decommissioned the accessed server altogether. We have also taken steps to implement end-to-end encryption on all of AMP’s housed data, for all data both in transit and at rest.
AMP has been in contact with various federal agencies as well as our regulators, and is working under their guidance, along with the research company to ensure the safety of our customer data.
AMP continues to be alert and monitor for evidence of identity theft. We will continue to provide alerts throughout this process if any further circumstances arise.
Additional precautions
As always, we encourage you to remain alert in guarding your personal information, regularly review your account statements and monitor your credit activity from the major reporting agencies. You may change your password to your portal and trading platform as an additional precaution, change your passwords for other online accounts for which you use the same password, and take any other steps that you may deem appropriate to safeguard your personal information online."
