The old-fashioned telephone turns out to be a way to hack into other people’s accounts. Voya Financial was the victim of cybercriminals using their phones instead of their computers.
Voya ran the portal for its investment advisers and registered representatives to to manage the accounts of their customers. Voya also had a support line to help the advisers and representatives with problems on the portal. That included resetting passwords to the portal.
The hackers called the support line impersonating an adviser or representatives and got access to the portal. That gave the hackers access to Voya’s customers and account information.
The bad facts for Voya were that that some of those hacker calls came from phone numbers that Voya had previously flagged for fraudulent activity. I guess that means that the hacker called one person on the support line and failed to get past that support person. So the hacker tried again with a different support person who was more willing to believe the hacker.
At least on of the impersonated representatives called the support line saying he had received an email confirming the password change, but that he had not requested a password change. The red flag was up that Voya was under attack, but at least two other attacks were subsequently successful.
Voya had to pay a $1 million penalty and be subject to a third-party compliance review. The penalty was imposed even though there was known negative financial impact on the Voya customers. It looks like the hackers got in, but couldn’t get money out.
The case appears to be the first action under Rule 201 of Regulation S-ID (17 C.F.R. § 248.201), the “Identity Theft Red Flags Rule”.
Sources:
