by Jeremy Feigelson, Avi Gesser, Norma Angelica Freeland, Marc Ponchione, Gregory T. Larkin, and Robert Maddox
We have recently written about the persistence of the three most common cyber attacks: Ransomware, Phishing and Business Email Compromises (BECs) and the increased regulatory scrutiny that companies face when they fall victim to these attacks. Two recent developments demonstrate that credential stuffing is yet another serious cybersecurity risk that is on the rise and has the attention of regulators. First, on September 15, 2020, New York’s Attorney General, Letitia James, announced a $650,000 settlement with Dunkin’ Donuts, stemming from a 2015 security breach that targeted almost 20,000 customers using credential stuffing. Second, on the same day, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert (the “Risk Alert”) on observed best practices by registered investment advisers and broker-dealers (together, “firms”) to protect customer accounts against credential stuffing. In this client update, we will discuss the cybersecurity and regulatory risks posed by credential stuffing and several ways to mitigate these risks.