DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Update on Morningstar Document Research breach

Posted on July 8, 2013 by Dissent

Reuters reports:

Investment research firm Morningstar Inc said personal information, including credit card details, of about 2,300 users of its Morningstar Document Research service may have been compromised due to a security breach last year.

The incident on April 3, 2012 may also have led to the leakage of names, addresses, email addresses and passwords, the company said in a filing on Friday.

Morningstar Document Research, formerly 10-K Wizard, provides a global database and search tool for company filings.

An additional 182,000 clients who had email addresses and user-generated passwords on the system may also have been affected, Morningstar added.

Read more on Reuters.  AP also covers the breach, here.

Both outlets seemingly learned about this breach via the firm’s 8K security filing.  Actually, if they had read DataBreaches.net, they would have known about this breach already weeks ago, although I didn’t know the number affected on June 18 when I uploaded a reader-submitted notification.

Here is the relevant section of the July 5  8k filing:

Security Incident with Morningstar Document Research

3. Can you detail the cause, timing, and nature of your recent security breach? What will its final cost be to shareholders?

We recently became aware that an illegal intrusion into the Morningstar Document Research (formerly 10-K Wizard) system occurred around April 3, 2012. As a result, a small subset of our clients’ personal information, such as names, addresses, email addresses, passwords, and credit card numbers, may have been compromised. The intrusion affected about 2,300 users whose credit card information was stored in the Morningstar Document Research (MDR) system. An additional 182,000 clients who had email addresses and user-generated passwords in the system may have been affected.

Earlier this year, we shut down the old servers and moved the data to a more secure infrastructure as part of a migration plan for MDR unrelated to this incident. We have taken additional steps to prevent unauthorized access to our systems to protect client information. We are also working with law enforcement officials and credit card companies as well as conducting our own investigations.

We take this matter very seriously and are working diligently to protect our client information and prevent this type of incident from happening again.

Protecting the integrity of our client information is of utmost importance to us. We have sent notices to MDR clients and reset their passwords. We have also encouraged MDR clients to be cautious about phishing scams and password protection. In addition, we have encouraged clients whose credit cards may have been compromised to monitor their credit reports and credit card accounts, and we are offering them 12 months of free identity protection through Experian’s ProtectMyID™ Alert program.

So the SEC filings are turning out to be an occasional source of useful details on breaches. But it’s not clear to me why I haven’t seen this breach on any of the state web sites that disclose breach reports.  In response to an inquiry from this site as to which states were notified, Morningstar spokesperson Margaret Kirch Cohen would only say that the firm “notified the authorities as required.”

According to Cohen, Morningstar first learned of the breach when they were notified of it by a client.

No related posts.

Category: Breach IncidentsBusiness SectorHack

Post navigation

← Statement of Public.Resource.Org on IRS web exposure of tens of thousands of SSNs
UK: The cancer diagnosis letter found in a car park, voicemails to the wrong person and a gate-crashed consultation: Hospital data breaches up 20% in a year →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.