Hi Fellow Trader,

We are sending you this email as an update following the notice we sent to you on April 28, 2017 (available here: https://clients.ampfutures.com/notice-customer-data-incident-report) in order to keep you abreast of the most recent developments.

As you were informed in that notice, a well-known Cybersecurity research company had reached out to us to alert us about a possible vulnerability in one in-house back-up file storage server. There was only one server of this type on our network and only this server has an apparently open design flaw. Since AMP had not authorized anyone else’s entry into its systems, we took immediate steps to secure our customers data. We took care to follow our Cybersecurity procedures which have previously been reviewed by our industry regulators as well as federal government agencies.  

AMP has confirmed that no one other than the research company accessed the database:

Due to the nature of the access, AMP has been able to determine only one instance of outside access to the server through a thorough examination of the server logs. This access was traced directly to the point the security firm contacted AMP. The backdoor this research company exposed is an app that allows access to the server.  This access leaves a definitive trace log, and is the only way into the server without authorization. AMP’s IT providers studied the trace logs and confirmed there was only one access that was unaccounted for, which was the research company’s activity. Hence, we have an account of all of the traffic to the server. At no point prior to the research company gaining access did any other entry occur. Therefore, we can say with certainty that only the research company’s access was successful, and hence our customer data was not accessed by anyone else.

The contents of the database that the research company was able to access:

The database that this research company was able to access  includes but is not limited to account opening documentation done on paper only, of accounts that opened before October 2010 and 1099 tax documents of US customers from 2015 and before, which qualifies as Personal Identifying Information. However, we have been reassured that this research company has taken steps to keep the data secure and encrypted. The research company has stated that they are working with the SEC and will follow instructions from them regarding the fate of the data they were able to access. AMP is working with federal authorities to ensure that our customer data is safe and secure and will not be used for unlawful purposes such as identity theft.

Data is not accessible to the public

We have no evidence that suggests that personal information accessed by the research company from the database has been or will be used to commit identity theft. On the contrary, it is our belief that this research company is on a mission to make the world of cyberspace a safer place. To be clear, that access was limited to our back-up file storage server, that has a design flaw which the research company knows and understands well.  We took their guidance as well as our own IT providers to block access to the server and take it off line.  There was no access to the AMP Customer Portal, Customer funds, and no access to any of the trading platforms networks.

Subsequent actions by AMP

The access into the back-up file storage server was quickly determined and that access blocked, and very soon thereafter we decommissioned the accessed server altogether. We have also taken steps to implement end-to-end encryption on all of AMP’s housed data, for all data both in transit and at rest.

AMP has been in contact with various federal agencies as well as our regulators, and is working under their guidance, along with the research company to ensure the safety of our customer data.  

AMP continues to be alert and monitor for evidence of identity theft. We will continue to provide alerts throughout this process if any further circumstances arise.  

Additional precautions

As always, we encourage you to remain alert in guarding your personal information, regularly review your account statements and monitor your credit activity from the major reporting agencies. You may change your password to your portal and trading platform as an additional precaution, change your passwords for other online accounts for which you use the same password, and take any other steps that you may deem appropriate to safeguard your personal information online.

You may obtain information from these sources about fraud alerts and security freezes. Information about the major reporting agencies is as follows:

Equifax Credit Information Services, Inc.

P.O. Box 740241

Atlanta, GA 30374

You may request a fraud alert online by following this link: https://www.alerts.equifax.com/AutoFraud_Online/jsp/fraudAlert.jsp

Call toll-free 1-888-766-000

TransUnion

P.O. Box 1000.

Chester, PA 19022.

You may request a fraud alert online by following this link: https://fraud.transunion.com/fa/fraudAlert/landingPage.jsp

Call toll-free (855) 681-3196

Experian

P.O. Box 2104. Allen, TX 75013-0949.

You may request a fraud alert online by following this link:

https://www.experian.com/fraud/center.html

Call toll-free 1-888-EXPERIAN (397-3742)

The Federal Trade Commission can be reached at the below address and phone number:

Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
Telephone: (202) 326-2222

Toll free: (877) 382-4357

Website: https://www.ftc.gov/

In conclusion, customer data at AMP is not at any heightened risk due to the entry of the research company into the database, and AMP has taken concrete steps to instill safeguards that will increase the safety of our customer data.

If you have any questions, please feel free to reach out to our customer service representative  https://www.ampfutures.com/contact-us/