The U.S. Securities and Exchange Commission (SEC) recently announced a consent order settling an enforcement action brought by the SEC against Voya Financial Advisors Inc. (VFA) in connection with a data security incident that occurred in 2016. VFA is a registered broker-dealer and investment adviser with the SEC. The order memorializes the SEC’s agreement to accept $1 million in settlement of the charges alleging that VFA violated both the SEC’s “Safeguards Rule” and “Identify Theft Red Flags Rule.” This was the SEC’s first enforcement action under the Identity Theft Red Flags Rule.
As background, over a six-day period in April 2016, fraudsters impersonating VFA independent registered representatives called VFA’s support line and requested a reset of three representatives’ passwords to VFA’s web portal used to access VFA customer information. VFA reset the passwords, provided temporary passwords over the phone for all three representatives and provided the representatives’ user names to the fraudsters for two of the impersonated representatives. Within three hours of the first fraudulent reset request, one of the actual representatives called VFA to report that he just received an email notifying him that his password was reset and that he had not requested this action. In response, VFA began to implement containment measures, but the actors were still able to obtain credentials to log in to the portal and access personally identifiable information (PII) for more than 5,600 customers. The actors were also able to set up new VFA customer accounts in VFA’s web portal. The investigation that ensued found that there were no unauthorized transfers of funds or securities by the actors (or known cases of identity theft). VFA had also previously been subject to a similar attack between January and March of the same year, where fraudsters utilized some of the same phone numbers and techniques impersonating representatives as in the April 2016 event. Additionally, one of the representatives targeted in the April 2016 event was targeted in this previous incident.