Windhaven Investment Management is notifying clients that a server maintained by an unnamed vendor suffered an unauthorized intrusion several months ago. As a result, customers’ names, account numbers, custodians, and investment positions for their Windhaven account(s) may have been accessed. Neither Social Security numbers nor dates of birth were exposed.
Windhaven learned of the intrusion last month, but noted that potential access to customer accounts may have occurred months earlier.
The firm offered affected customers a complimentary subscription to an Equifax credit monitoring service and outlined a number of free services offered by its affiliate, Charles Schwab & Co., to harden the security of the customers’ accounts.
Update 1: The day after this breach notice appeared on California’s site, it was silently deleted by them and attempts to access the report resulted in “Access Denied.” I am still attempting to get a response from California as to why they removed it from their list and blocked access to it. In the meantime, a copy of the notification has just been posted to Maryland’s web site, so you can read it there. Just to make sure that it doesn’t disappear from there, too, I’ve downloaded a copy that I am uploading here (pdf).
Update 2: The notice has reappeared on California’s site, but with a different url. Since I didn’t download the first one, I’m not 100% sure whether what’s there now is identical to what was originally uploaded, but this version is redacted for contact info, whereas the original notice wasn’t. The Maryland notice is only their letter to the state; not the attachment with the sample to affected clients.
Update 3: 419 New Hampshire residents were also notified of the breach.