Chinese Hackers Steal Millions in Wall Street Tech Firm Breach

A former commodities investor client of SS&C Technologies has sued the Wall Street technology firm for allegedly falling for a phishing scam by China hackers, according to CNBC last week.

Tillage Commodities Fund claimed SS&C Technologies wired almost $6m of its funds to the hackers back in March and the email scam has taken it offline temporarily. Tillage alleges SS&C Technologies, its fund administrator, ignored its own protocol, resulting in the lost funds.

Tillage stated in a lawsuit that staff at SS&C failed to “exercise even a modicum of care and responsibility in connection with known and obvious cybersecurity threats.”

Certainly for registered investment advisors, the SEC has made it clear that vendor due diligence is a top priority from a compliance perspective, says Eldon Sprickerhoff, the Founder and Chief Security Strategist at eSentire which manages cyber threat detection and response services. He described attacks to affect wire transfers, such as the one that targeted Tillage using an important third-party vendor as the phishing vector, as highly effective and one of the most common attack vectors used by threat actors today.

Sprickerhoff added: “Every vendor has a responsibility to protect their client’s data; every firm has an obligation to manage third-party due diligence to protect themselves from these sorts of data breaches. Hindsight might make one wonder how the firm’s employees could fall for the falsified emails in the first place, but the reality is that the hallmarks we notice when examining these types of emails are exactly the kinds of things that busy employees miss when they’re simply moving from one task to another, especially when they take for granted that an email they’re reading is seemingly coming from a trusted client or partner.

Learning these signs and triggers is something that can become muscle memory through regular cybersecurity training – it’s up to every organization to mandate and maintain a regular cadence around awareness training.”

According to the filed complaint, Sprickerhoff said what makes this case troublesome is that hackers targeting Tillage were able to successfully extort funds through one of the firm’s vendors by impersonating TCF emails and falsifying supposed TCF information which is a layer of complexity that makes it even easier to trick employees.

He said: “Unfortunately, this is a poignant use case that demonstrates the sophistication and evolution of phishing attacks.

Like many other transaction breach cases we’ve seen this year, casual or lax authorization checkpoints can inadvertently greenlight these kinds of heists. It comes down to policy development and policy enforcement; it’s never been more important to evaluate and augment internal control measures.”

SS&C Technologies recently strengthened and enhanced fund administrator capabilities by acquiring Wells fargo Global fund services to add 250 headcount serving more than 130 fund relationships in US, UK, Singapore and Hong Kong.

Image from iStock/MilosJokic.