4iQ Issues Report on 2018 Identity Breaches, Finding 424 Percent Increase from 2017

On March 5, identity intelligence company 4iQ announced the release of its report on identity-breach trends in 2018, titled “The Changing Landscape of Identities in the Wild: The Long Tail of Small Breaches.” The report, which drew on large amounts of breached and leaked data found from open sources in the surface, deep, and dark web, saw “a significant shift from attacks on not just large companies, but increasing attacks on a greater number of small businesses – the long tail – as hackers targeted unsophisticated and unsecured small businesses and supply chain vendors .”

4iQ’s specific findings about identity-breach trends included the following:

  • There were 12,449 new and authentic breaches and leaks in 2018, reflecting a 424 percent increase from 2017. That total translates to 1,037 breach every month, or 34 breaches every day.
  • The average breach size in 2018, however, was 216,884 records, 4.7 times smaller than in 2017. 4iQ interpreted these results to indicate that hackers were both more willing and able “to attack larger numbers of smaller targets.”
  • 9 billion raw identity records circulated across the web – a 71 percent increase from the 8.7 billion raw identity records circulating in 2017. After 4iQ curated (i.e., analyzed, normalized, and cleansed) the raw data, it found approximately 3.6 billion records that were real and new – a 20 percent increase from 2017’s total of 3 billion curated identity records.  4iQ characterized 2018 as “a record year for breaches caused by open devices, with a much larger number of accidental exposures than exposures due to hacking.”
  • “Government Agencies” had the largest growth as an exposed industry in 2018, increasing 291 percent from 2017. On this point, 4iQ specifically noted that “[f]or the first time we saw underground brokers actively including citizen data, such as voter databases, as part of their data portfolio.”  It also observed that numerous 2018 data dumps from the United States, China, and Russia exposed citizen data and voter records as well as financial and customer databases.
  • The top five exposed industries included forums and referral sites (27.5 percent), government agencies (12.2 percent), gaming and gambling (11.8 percent), e-commerce (11.7 percent), and education and academia (9.2 percent).
  • “The circulation and repackaging of username and password databases into “Combo Lists” has seen a sharp increase in 2018.” One Combo List form May 2018 that 4iQ reviewed contained 98 gigabytes of data; another Combo List from January 2019 contained 1 terabyte of data including 1.82 billion credentials.
  • North America was the continent with the greatest percentage of curated breaches (37.2 percent), followed by Asia (34.5 percent), Europe (17.8 percent), South America (9.9 percent), Oceania (4.2 percent), and Africa (0.18 percent).  4iQ “saw breach exposure growth in China, Russia, Vietnam, Japan, and Brazil” since 2017.
  • Examples of data for sale included a file with 21 million identities from Peruvian citizens that could be used to make fake identity cards, tax data, passport images, and health and auto insurance cards.

Note: In cybersecurity, it is easy for cybersecurity experts and compliance officers, in conceptualizing data-breach risks, to fall back on the availability heuristic and define the problem in terms of data breaches associated with leading brands, such as Marriott Starwood, Cathay Pacific, and Facebook in 2018.  The 4iQ report is instructive in demonstrating that while companies and agencies of all sizes and in all sectors should be concerned about the overall growth of identity breaches in 2018, small- and medium-size enterprises should take particular note of the increased likelihood that they can be targeted for data breaches and take action to bolster their cyber defenses accordingly.

Global Witness Reports That Anonymous Companies Registered in Tax Havens Own More Than 87,000 English and Welsh Properties Worth Up to £100 Billion

On March 17, the anti-corruption organization Global Witness announced that its analysis of HM Land Registry data showed that anonymous companies registered in tax havens own more than 87,000 properties in England and Wales.  It also stated that “[t]he value of these properties is at least £56 billion according to Land Registry data – and likely to be in excess of £100 billion when accounting for inflation and missing price data.”

The Global Witness analysis found that 40 percent of the anonymously owned properties that it identified are in London.  Within London, the areas with the highest number of anonymously owned properties (as of March 2019) are 10,000 in Westminster, 5,729 in Kensington and Chelsea; 2,320 in Camden; and 1,930 in Tower Hamlets.

Note: Since 2016, the United Kingdom Government has made available, through the public register at Companies House, a public central register of company beneficial-ownership information for companies incorporated in the United Kingdom.  The Government, however, has yet to implement its proposal of a public central register for company beneficial-ownership data for non-United Kingdom companies.

It is encouraging to see the Government’s increasing use of its Unexplained Wealth Order authority to reveal ownership of property by persons reasonably suspected of involvement in, or of being connected to a person involved in, serious crime.  But that authority, as valuable as it is for law enforcement, is no substitute for a comprehensive and complete listing of beneficial ownership.   If the Government wants, as Minister of Security Ben Wallace put it, “the ‘full force of the government’ to bear down on criminals and corrupt politicians using Britain as a playground and haven,” and to constrict the laundering of an estimated £90 billion each year, it needs to deploy a comprehensive public register that pieces the veil of foreign ownership of United Kingdom properties and provides much-needed transparency.

There is no guarantee that this latest Global Witness analysis will prompt the Government to reverse course on its recent decision to pull the debate and votes on a bill that would expand public-register requirements to British overseas territories.  It may, however, keep alive debate about the importance of a more extensive public central register, as part of a comprehensive Government response to the problems of money laundering and tax evasion.

Solving “The Mystery of Maduro’s Gold”

Since last November, when President Trump signed an Executive Order that authorized sanctions directed at Venezuela’s gold sector, officials in Venezuelan President Nicolas Maduro’s administration have tried multiple routes to move large quantities of Venezuelan gold reserves out of the country, to relieve the considerable financial pressures on the regime.  In late January, Venezuelan authorities shipped three tons of gold to the United Arab Emirates (UAE), reportedly as the first step in a plan to fly up to 29 tons of gold reserves to the UAE and to sell them for cash in euros.  Even after plans for that larger shipment were canceled, Maduro’s team has continued to search for international gold buyers willing to risk running afoul of U.S. sanctions.

The latest chapter in this saga began on February 27, when, according to Reuters, a Venezuelan opposition leader and government sources stated that at least eight tons of gold had been removed from the Venezuelan Central Bank’s vaults.  At the time, those sources did not indicate that they knew where that quantity of gold was headed.

That mystery now appears to have been solved.  Today The Times reported that in early March, two flights from Venezuela had delivered a total of 7.4 tons of gold into Uganda.  Entebbe-based African Gold Refinery (AGR)  – the largest gold refinery in East Africa – received one shipment of 3.8 tons on March 2, and a second shipment of 3.6 tons on March 4, “neither of which are said to have passed through customs.”  When Ugandan police raided AGR on March 7, they reportedly found the March 2 shipment missing, but the March 4 shipment is now in the custody of the Ugandan central bank.

This report indicates the extreme lengths – in logistical and geographic terms — to which the Maduro regime is apparently willing to go to ensure its own survival, even at the cost of inflicting long-term damage to the nation’s economy.  The larger mystery is now whether the opposition can win control of the country before Maduro can exhaust the remaining 140 tons of gold reserves in his central bank or succeed in repatriating the 31 tons of Venezuelan gold that the Bank of England has in its vaults.

FINRA Fines Cantor Fitzgerald $2 Million for Regulation SHO Violations on Short Sales and Supervisory Failures

On March 5, FINRA announced that it had fined financial services firm Cantor Fitzgerald & Co. (Cantor) $2 million for violations of SEC Regulation SHO (Reg SHO) —  which addresses concerns regarding persistent failures to deliver and potentially abusive “naked” short selling — and supervisory failures spanning a period of at least five years, from January 2013 through December 2017.

FINRA found that, during that five-year period, “Cantor’s supervisory system, including its written supervisory procedures (WSPs), was not reasonably designed to achieve compliance with the requirements of Reg SHO.”  It specifically identified the following examples of those deficiencies and failures:

  • Use of Manual System to Supervise Reg SHO Compliance: FINRA found that in light of Cantor’s business expansion and increased trading activity – which more than doubled over just two years, from 35 billion shares in 2013 to 79 billion shares in 2014 – its use “of a predominantly manual system to supervise its compliance with Reg SHO was not reasonable.”
  • Failure to Address Deficiencies by Compliance Personnel Over Multiple Years: FINRA found that

Cantor’s compliance personnel identified red flags in 2013, 2014 and 2015 indicating that the firm had systemic issues with Reg SHO and that its supervisory systems were not reasonably tailored to its business. While Cantor made some changes, it did not adapt and enhance its supervision to address the deficiencies its personnel identified, commit additional staffing to monitoring its compliance with Reg SHO, or implement WSPs relating to its new lines of business until 2016.

  • Ineffective Enhancements: FINRA found that “Cantor’s enhancements to its supervisory systems and procedures were not fully effective. For example, Cantor failed to identify fails-to-deliver in accounts that were not monitored by its supervisory systems.”
  • Failure to Remediate Timely: FINRA also found that

Cantor failed to timely remediate issues identified by its personnel. This was not reasonable considering, among other things, the firm’s prior disciplinary history relating to Reg SHO. As a result, Cantor did not timely close-out at least 4,879 fails-to-deliver, and routed and/or executed thousands of short orders in those securities without first borrowing (or arranging to borrow) the security or issuing notice of the need for a pre-borrow to the broker-dealers for whom it cleared and settled trades.

Cantor neither admitted nor denied the findings, but consented to the entry of FINRA’s findings.  In addition, as part of the settlement, Cantor agreed to retain an independent consultant to conduct a comprehensive review of the firm’s policies, systems, procedures, and training related to Reg SHO.

Note: In its Letter of Waiver, Acceptance and Consent, FINRA noted that Cantor had made efforts to improve its supervisory systems, including hiring a new Chief Compliance Officer (CCO) in April 2015, creating a Reg SHO working group in the fall of 2015, and seating additional compliance personnel on the trading floor.  Nonetheless, the fact that Cantor, according to the findings, continued to engage in misconduct for more than 2 ½ years after the hiring of the new CCO suggests a deeper problem with the firm’s culture of compliance during that period.

In one sense,  Cantor was fortunate that its compliance failures involved Reg SHO.  Had the program in question involved a higher-profile category of compliance, such as anti-money laundering (AML), the kinds of systematic program failures that FINRA identified could well have resulted in criminal or civil penalties amounting to tens of millions, even hundreds of millions, of dollars.

Even so, CCOs in financial services firms should regard this resolution as a reminder that each specific compliance program under his or her supervision needs to be appropriately resourced and implemented to show regulators that all of those programs are effective, and that senior management needs to understand that fact.  Regulators will not average the results of each component of a firm’s compliance program — giving, so to speak, an A to its anti-bribery program, a C to its AML program, and an F to its broker-dealer program – and conclude that each component is entitled to an overall passing grade.  Systemic, long-term supervisory failures and ignoring of red flags in any particular compliance program is virtually guaranteed to invite enforcement action by the relevant regulator or law enforcer.

Federal Reserve Permanently Bans Two Former Goldman Sachs Investment Bankers from Banking Industry for 1MDB Scheme Participation

On March 12, the U.S. Federal Reserve Board announced that it was banning two former senior investment bankers in the Goldman Sachs Group, Tim Leissner and Ng Chong Hwa (also known as Roger Ng), for their participation in a scheme to illegally divert billions of dollars from the Malaysian sovereign wealth fund 1Malaysia Development Berhad (1MDB).

The Board stated that in their capacities as senior investment bankers employed by foreign subsidiaries of Goldman Sachs, Leissner and Ng coordinated bond offerings arranged by Goldman for 1MDB in 2012 and 2013.  “The funds diverted from 1MDB,” according to the Board, “were then used for the conspirators’ personal benefit and to bribe certain government officials in Malaysia and Abu Dhabi.”

Leissner, who consented to the permanent ban, was fined an additional $1.42 million by the Board.  In 2018, Leissner had pleaded guilty to a criminal information, filed in the Eastern District of New York and unsealed in November 2018, that charged him with conspiracy to violate the Foreign Corrupt Practices Act (FCPA) and money-laundering conspiracy in connection with his participation in the scheme described above.  In connection with that plea, Leissner was also ordered to forfeit $43,700,000.

In November 2018, Ng was arrested in Malaysia pursuant to a provisional arrest warrant filed by the United States, and the U.S. Department of Justice announced the unsealing of an indictment in the Eastern District of New York against Ng and fugitive Malaysian financier Jho Low for FCPA conspiracy and money-laundering conspiracy for their roles in the above-described scheme.  In December 2018, Malaysia also indicted Ng for his role in the scheme. Ng subsequently agreed to waive extradition and to return to the United States to face the charges against him, but Malaysian Attorney General Tommy Thomas reportedly “advised the government against doing so until Ng’s cases in Malaysian courts are completed.”

Note:  The Board’s action against Leissner and Ng reflects a continuation of the more aggressive stance that it has taken on bankers’ participation in foreign bribery since the 2016 FCPA resolution with JP Morgan Securities (Asia Pacific) Limited (JP Morgan APAC).  In that latter resolution, which involved hiring of children of foreign government officials in order to obtain improper business advantages, the Board permanently barred two former JP Morgan APAC investment bankers from the industry without the bankers’ being criminally charged in the United States, and assessed a $1 million civil penalty against one of the former bankers and a $500,000 civil money penalty against the other former banker.

In this case, the Board chose to take action against Ng even before he pleaded or was found guilty of either set of criminal charges, and evidently negotiated a resolution with Leissner after his 2018 guilty plea.  There is every reason to expect that the Board will continue similar uses of its prohibition authority in future FCPA cases involving the financial sector.