TL;DR
- A hacker broke into a Rialto Markets employee’s email and sat there, undetected, for over three months, reading the Social Security numbers, driver’s license numbers, and home addresses of 4,400+ customers.
- While inside that email account, the hacker then stole over $1 million ($1 million β more than most Americans will save in their entire working lives) by faking a wire transfer from the firm’s escrow account to their own bank.
- FINRA had already warned Rialto Markets to fix its cybersecurity before any of this happened; the firm ignored the warning.
- The punishment for exposing 4,400 people’s most sensitive data and enabling a $1 million theft: a $50,000 fine ($50,000 β roughly the median annual salary of a single American worker).
- Rialto Markets settled without admitting or denying any wrongdoing, and the fine was formally accepted on June 11, 2025.
They Left the Door Wide Open
Published following FINRA enforcement action accepted June 11, 2025 | Source: FINRA AWC No. 2022075714101
A hacker had full, unrestricted access to the Social Security numbers, driver’s license numbers, and home addresses of 4,400 people for over three months β and the firm responsible paid less to settle the case than a single worker earns in a year.
Rialto Markets LLC, a seven-person brokerage firm headquartered in New York City, left a door wide open for a cybercriminal. That criminal walked in, helped themselves to the private financial identities of thousands of customers, and then used the same access to wire over $1 million ($1 million β more than most Americans accumulate in 40 years of saving) out of a client escrow account into their own pocket. The firm had no multi-factor authentication. It had no email access logs. It had no alerts for suspicious activity like someone logging in from an anonymous IP address. It had no email forwarding rules in place.
FINRA, the financial industry’s self-regulatory body, had already told Rialto to fix exactly this. The firm did nothing. Then the breach happened.
β FINRA AWC No. 2022075714101
The Timeline of Failure
Rialto Markets: Breach Timeline
The breach began in November 2021. For more than three months, a criminal roamed freely through a Rialto employee’s email account. In February 2022, that criminal used the still-active access to execute a fraudulent wire transfer of over $1 million ($1 million β enough to fully fund approximately 13 Americans through a four-year college degree, tuition and fees included). The firm did not detect or stop the access until after the money was already gone.
Government authorities recovered some of the stolen funds. The escrow agent covered the rest to make the offeror whole. The 4,400 people whose Social Security numbers, driver’s license numbers, and home addresses were exposed for months? They got free credit monitoring.
The Non-Financial Ledger
What Money Can’t Quantify
Your Social Security number is the skeleton key to your financial life. Anyone who has it can open credit cards in your name, file false tax returns to steal your refund, take out personal loans you’ll spend years disputing, and even commandeer your medical records. Rialto Markets handed that key to a criminal for over three months and did not tell anyone while it was happening.
The customers whose data was exposed were not day traders or hedge fund managers with personal legal teams. Rialto’s business focuses primarily on the sale of private placements, meaning these are everyday investors who trusted a small brokerage firm with their identity documents. They handed over their driver’s license numbers and home addresses as part of the routine compliance paperwork every brokerage requires. That is a reasonable, unavoidable act of trust. Rialto turned that trust into a vulnerability and then failed to protect it for months.
Consider what three months of unrestricted access actually means. A thief with a Social Security number and home address can ruin a person’s credit before that person even realizes anything is wrong. They can drain benefits. They can create phantom identities. They can harass someone at their home. The damage from identity theft does not arrive in one obvious moment; it accumulates in the background, in small denials and strange letters and unexplained credit inquiries, for years. Some victims spend a decade untangling the mess.
Rialto did eventually notify affected customers and offer free credit monitoring after discovering the breach. But they offered that notification only after the fraudulent $1 million wire transfer forced them to confront the breach. The customers were not the reason the firm finally acted. The missing money was.
Legal Receipts
Straight From the Document
“Although FINRA had previously advised the firm to establish WSPs and systems to address and mitigate cybersecurity risks, the firm’s WSPs failed to address, and the firm failed to implement, data loss prevention controls such as multi-factor authentication for all email accounts, email access and other audit logs, alerts for suspicious activities such as anonymous IP address use, or email forwarding rules.” β FINRA AWC No. 2022075714101, Facts and Violative Conduct
“In November 2021, an unauthorized user gained access to a firm employee’s business email account and had unrestricted access to the nonpublic personal information of over 4,400 firm customers (including Social Security numbers, driver license numbers, and home addresses) for over three months.” β FINRA AWC No. 2022075714101, Facts and Violative Conduct
“The firm did not detect or prevent the unauthorized user’s access to the email account until after the fraudulent transfer was discovered.” β FINRA AWC No. 2022075714101, Facts and Violative Conduct
“While the firm was engaged in a private offering, the unauthorized user used their access to the employee’s email account to facilitate the fraudulent transfer of over $1 million from the firm’s escrow agent to a bank account controlled by the unauthorized user in February 2022.” β FINRA AWC No. 2022075714101, Facts and Violative Conduct
“From at least November 2021 to June 2022, the firm failed to establish and maintain a supervisory system, including written supervisory procedures, reasonably designed to safeguard customer records and information.” β FINRA AWC No. 2022075714101, Overview
The Numbers That Tell the Story
Fine vs. Theft: An Uncomfortable Comparison
$50,000 Fine vs. $1,000,000+ Theft Enabled
Chart note: The fine bar is drawn to scale. It is barely visible. That is the point.
The fine Rialto paid β $50,000 ($50,000 β roughly what a full-time worker earning the U.S. median wage takes home in an entire year) β represents 5 cents for every dollar of the theft that their negligence made possible. The fine does not cover a single hour of a fraud investigator’s time, a single credit monitoring service for a single affected customer, or a single dollar of the anxiety costs borne by 4,400 people who now have to wonder whether someone is using their Social Security number somewhere.
Societal Impact Mapping
Who Actually Pays the Price
Economic Inequality: The Penalty Gap Is the System Working as Designed
Rialto Markets is a seven-person brokerage. The $50,000 fine ($50,000 β roughly one year’s median American salary) lands on a firm that operates in private placements, a market segment catering to higher-income investors and companies. For a firm at that level, $50,000 is a rounding error on a compliance budget, not a deterrent.
Compare that with what the 4,400 exposed individuals face. Identity theft costs its victims an average of hundreds of hours in recovery time and, in serious cases, thousands of dollars in direct losses, legal fees, and damaged creditworthiness. The aggregate economic damage to 4,400 people from months of Social Security number exposure dwarfs the fine many times over. The people with the least legal and financial firepower absorb the real cost. The firm writes a check that doesn’t hurt and moves on.
The escrow agent made the offeror whole on the $1 million ($1 million β more than 20 Americans will earn in a full year at median wages, combined) theft. Government authorities recovered some funds. The customers whose personal data was stolen got no financial remedy at all β only free credit monitoring, which does nothing to fix damage that has already occurred.
Public Health: The Invisible Wound of Identity Exposure
Identity theft and data exposure carry documented psychological costs. Research consistently links identity theft to elevated anxiety, depression, sleep disruption, and long-term stress from the ongoing, unpredictable nature of the harm. A stolen Social Security number does not cause one incident; it causes a years-long pattern of uncertainty. Every unexpected credit inquiry, every unfamiliar account on a credit report, every letter from an unknown creditor restarts the trauma cycle.
The 4,400 people affected by this breach had their driver’s license numbers and home addresses exposed alongside their Social Security numbers. Home addresses in the hands of a criminal are a physical safety risk, not just a financial one. Rialto’s failure exposed its customers to a spectrum of harm that extended well beyond their investment accounts.
Rialto offered free credit monitoring after the breach was discovered. Credit monitoring tells you after something has gone wrong. It does not prevent the harm; it just documents it. That response, while better than silence, does not address the emotional or physical safety dimensions of what was exposed.
The “Cost of a Life” Metric
What Rialto’s Negligence Was Actually Worth
The total fine paid by Rialto Markets for exposing 4,400 people’s Social Security numbers, driver’s license numbers, and home addresses for over three months.
That is $11.36 per affected person β less than the cost of a large pizza β for months of exposure of their most sensitive personal data.
The fraudulent wire transfer the hacker executed using the same email access Rialto’s negligence enabled.
That is $1 million ($1 million β more than a typical American worker earns in 20 years of full-time employment) that left a client escrow account because Rialto had no multi-factor authentication, no audit logs, and no suspicious activity alerts.
The length of time a criminal had unrestricted access to the personal data of 4,400 customers before Rialto detected anything at all.
The firm detected the breach only after the money was already gone. The data exposure was a secondary discovery β not the trigger for action.
What Now?
Names, Watchlists, and Next Steps
Key People on Record
- Susan Xouris β Chief Compliance Officer, Rialto Markets LLC: Signed the settlement on behalf of the firm on June 3, 2025. The firm’s compliance failures happened on this officer’s watch.
- Richard M. Nummi β Counsel for Respondent, Nummi & Associates, PA: Represented Rialto Markets in the FINRA settlement process.
- Alex Marinello β Principal Counsel, FINRA Department of Enforcement: Signed the acceptance of the settlement on behalf of FINRA on June 11, 2025.
Regulatory Watchlist
- FINRA (Financial Industry Regulatory Authority): The body that issued this settlement. Search Rialto Markets on FINRA BrokerCheck at finra.org/brokercheck to view their full disciplinary record. This AWC is now part of Rialto’s permanent record.
- SEC (Securities and Exchange Commission): The SEC’s Regulation S-P Safeguards Rule, which Rialto violated, is enforced at the federal level. The SEC has been expanding its data protection enforcement posture; watch for updated Reg S-P rulemaking.
- FTC (Federal Trade Commission): The FTC maintains IdentityTheft.gov β the official government resource if you believe your information was part of a data breach. It is free and walks you through a recovery plan step by step.
What You Can Actually Do
If you were a Rialto Markets customer during 2021β2022, freeze your credit at all three bureaus (Equifax, Experian, TransUnion) immediately. A credit freeze is free by federal law, and it stops anyone from opening new accounts in your name. Do this even if you already signed up for the free monitoring Rialto offered. Monitoring tells you after the damage; a freeze prevents it.
Organize locally with neighbors, friends, and community members around data rights. Push your local representatives to support stronger data breach penalty legislation β the current fine structure, where a firm pays $50,000 ($50,000 β roughly the median American annual salary) for exposing 4,400 people’s Social Security numbers, is a regulatory joke. Real deterrence means fines that actually hurt, mandatory minimum per-person penalties, and personal liability for compliance officers who sign off on inadequate systems.
Support mutual aid networks focused on financial literacy and fraud recovery β especially those that help older adults and lower-income communities, who are disproportionately targeted after data breaches because they have fewer resources to fight back. The system protected the firm. Build the infrastructure to protect each other.
The source document for this investigation is attached below.
The FINRA link that I used to write this article can be found at https://www.finra.org/sites/default/files/fda_documents/2022075714101%20Rialto%20Markets%20LLC%20%20CRD%20283477%20AWC%20lp%20%282025-1752279594969%29.pdf
Explore by category
Product Safety Violations
When companies sell dangerous goods, consumers pay the price.
View Cases →Financial Fraud & Corruption
Lies, scams, and executive impunity that distort markets.
View Cases →Related posts:
Apple and Goldman Sachs’ $89 Million Broken Promise to Customers
How Marriottβs oversight lapses and deregulation fueled one of the largest data scandals in hotel history.
Fitzgerald Auto Malls Data Breach: Customers Exposed, But Fitzgerald Delayed The Alert
How Group Health Cooperative Failed Its Patients in a Massive Data Breach
