An attack
The SEC said that in the first attack in September 2022, a threat actor hijacked an email chain between the company, then known as American Stock Transfer & Trust Company, and one of its customers, posing as an employee of the customer company, and ordered. American Stock Transfer will issue millions of new shares in the client company, liquidate them, and transfer approximately $4.78 million to Hong Kong bank accounts. Only about $1 million was recovered.
In a second, unrelated attack in April 2023, an attacker used stolen Social Security numbers (SSNs) of American Stock Transfer customers, stolen from an unknown source, to create fake accounts. American Stock Transfer’s systems automatically link these accounts to the user’s actual account based solely on the SSN, or other personal information attached to the accounts does not match. The attacker used that access to foreclose on customers’ securities, withdrawing an estimated $1.9 million. Of that, about $1.6 million was received.
Penalties
To settle the charges, Equiniti agreed to pay a civil penalty of $850,000. In addition, the SEC stated in its release, “The SEC’s order finds that Equiniti violated Section 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12 thereunder. In addition to the civil penalty mentioned above, Equiniti agreed to a cease and desist order and reprimand.”
Source link