Equiniti Trust Company Settles with SEC for $850,000 Over Cybersecurity Failures Leading to $6.6 Million Client Loss

Equiniti Trust Company has agreed to a settlement of $850,000 with the U.S. Securities and Exchange Commission (SEC) to resolve allegations that its inadequate security measures led to the theft of millions of dollars in client funds across two cyber incidents.

Formerly known as American Stock Transfer & Trust Company, Equiniti experienced two significant cyber intrusions in 2022 and 2023, resulting in the loss of over $6.6 million from client accounts, according to an SEC press release issued Tuesday. The SEC noted that American Stock compensated clients who suffered losses as a result of these incidents.

The SEC’s order emphasized that it was American Stock’s insufficient security protocols that enabled the attackers to successfully steal client assets.

The first incident occurred in September 2022, when a threat actor impersonated an employee of a public-issuer client of American Stock. The intruder successfully convinced the company to issue millions of new shares, eventually liquidating $4.78 million and transferring the funds to a bank account in Hong Kong, according to the SEC.

The second breach, in April 2023, involved a different threat actor who used stolen Social Security numbers to access American Stock accounts and steal $1.9 million. The SEC alleged that the company approved the transfers despite discrepancies between the fake names and other fabricated personal information and those of the legitimate account holders.

The SEC acknowledged Equiniti’s cooperation in the investigation, which included steps to improve its cybersecurity measures. These efforts included hiring a chief control officer responsible for overseeing cybersecurity and engaging a third-party cybersecurity firm to conduct a forensic review.

Equiniti, which settled without admitting or denying the SEC’s findings, was not immediately available for comment.

By fLEXI tEAM