Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

SEC Sanctions Several Companies Over Email Account Hacking

The U.S. Securities and Exchange Commission (SEC) this week announced sanctions against several companies over cybersecurity failures that resulted in email accounts getting hacked and the exposure of customer information.

The U.S. Securities and Exchange Commission (SEC) this week announced sanctions against several companies over cybersecurity failures that resulted in email accounts getting hacked and the exposure of customer information.

A total of eight entities belonging to three companies have been sanctioned by the SEC, including Cetera (Advisor Networks, Investment Services, Financial Specialists, Advisors, and Investment Advisers), Cambridge Investment Research (Investment Research and Investment Research Advisors), and KMS Financial Services.

According to the SEC, Cetera exposed the personal information of at least 4,388 customers and clients between November 2017 and June 2020. In this timeframe, unauthorized third parties managed to hack into more than 60 cloud-based email accounts belonging to Cetera staff. The SEC was also unhappy with the fact that the breach notifications sent out by some of the Cetera companies were misleading in regards to when the breach was disclosed.

As for Cambridge Investment Research, the firms had more than 121 email accounts hijacked between January 2018 and July 2021, resulting in the exposure of information belonging to at least 2,177 customers and clients. While the first breach was discovered in January 2018, the SEC said Cambridge had failed to take action to improve protection for email accounts until 2021.

In the case of KMS, 15 financial advisers or their assistants had their email accounts hacked between September 2018 and December 2019, resulting in the exposure of information belonging to nearly 5,000 clients and customers. The SEC also determined that the company failed to implement additional security measures until August 2020.

The agency said each of the companies violated rules regarding the protection of confidential customer information, and Cetera also violated a rule related to breach notifications.

“Without admitting or denying the SEC’s findings, each firm agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty,” the SEC said.

Cetera will pay $300,000, Cambridge will pay $250,000, and KMS will pay a $200,000 penalty.

Related: US Expels Russian Diplomats, Imposes Sanctions for Hacking

Related: U.S. Treasury Sanctions Russian Institute Linked to Triton Malware

Related: European Union Extends Framework for Cyberattack Sanctions

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.