Employees of the US Commodity Futures Trading Commission – an independent agency of the United States government that regulates futures and option markets – have had their personal information and Social Security numbers compromised by an attacker that managed to get into one of their colleague’s email account.
The account was compromised after the employee in question fell for a phishing email and shared information he shouldn’t have – among other things, either his email password or information that allowed the attacker to guess it.
Armed with that knowledge, the attacker accessed the account and emails with attachments containing the names, Social Security numbers and possibly other sensitive personally identifiable information belonging to the agency’s employees.
According to Bloomberg, the breach took place in May, but the employees were notified of it only recently.
CFTC spokesman Steve Adamske said that the agency “believes at this time that the data breach is contained to employee information and does not compromise any trading or market data.”
The affected employees will receive identity protection from a credit-monitoring company for free, and training on how to spot spear phishing attacks in the future.
The CFTC has also declared that it would ramp up its security efforts to prevent future breaches, and that it has notified the authorities about this one.