Home SECActions

Commission Settles Cyber Incident

Commission Settles Cyber Incident

T. GormanPosted on Posted in SECActions

Cyber security has emerged as a key issue facing virtually every company. While company security systems have undoubtedly improved over the years, it is also true that those involved in these incidents have added to, and improved, their skills. The stakes are huge not just for large public companies but also smaller private firms that may house quantities of employee and/or customer data. A cyber incident for any of these firms can result in the exposure of large troves of non-public personal data. If hacked the firm and its employees and customers may face potentially untold threats and damage from a cyber incident. The Commission’s latest case in this area involves a firm that was infiltrated by a threat actor. SEC v. Ashford, Inc., Civil Action No. 3:25-cv-00082 (N.D. Tex. Filed 1/13/25).

Ashford, a public company, provides product and services to the real estate and hospitality industries. In September 2023 the firm learned that it had been subjected to a cybersecurity attack and ransomware demand by a foreign-based threat actor. The threat actor gained access to the firm and exfiltrated about 12 terabytes of data stored on its internal systems.

As required, Ashford disclosed the incident after it was identified. In September 2023 the firm disclosed in a Form 10-Q that it had experienced a Cyber Incident. The filing stated that the firm had completed an investigation and identified “certain employee information that may have been exposed. . .” The report went on to state that the company “had not identified that any customer information was exposed.” Similar disclosures were made in two subsequent filings.

Ashford knew that contrary to its disclosures, customer information was exposed – the files exposed to the incident contained customer information. It included sensitive personally identifiable information for some customers according to documents produced by the company to the Commission during its investigation. The inaccurate disclosures violated Securities Act Sections 17(a)(3) and Exchange Act Section 13(a) as well as Rules 12b-20, 13a-1 and 13a-13.

To resolve the matter, the company consented to the entry of a permanent injunction based on the Sections cited. The firm also paid a civil penalty of $115,231 which took into account the cooperation of the company with the Commission’s investigation.

See Lit. Rel. No. 26215 (January 13, 2025)

Print 🖨 PDF 📄
Tagged with: ,