Dave Lewis of Forbes recently reported a breach affecting brokerage house Benjamin F. Edwards Co.’a customers. A copy of the firm’s notification letter to clients had been posted on the California Attorney General’s website as well as the Vermont Attorney General’s website.
At the time, Lewis reported:
On May 24, 2014 Benjamin F. Edwards & Co. had their computer systems compromised by an unauthorized third party. The breach was discovered three days later on May 27, 2014. Through their investigation the company was able to ascertain that customer data was in fact exfiltrated from the company systems. While they were unable to determine if the data has been used fraudulently that is a possibility that could still occur. They did not disclose how many customers were affected in the breach.
The firm’s notification to New Hampshire, however, reveals additional details not previously disclosed:
… an employee of BFE was the victim of a CryptoWall malware infection (a variant of the more common CryptoLocker malware) that encrypted files on the employee’s computer and files on certain shared drives to which the user had access. As a result of the infection, data was transferred to a suspicious IP address. The investigation of a professional forensic expert has not, however, been able to reveal the content of the data transmitted to the IP address.
BFE’s law firm, Bryan Cave, notes that the firm does believe notification is required under New Hampshire’s statute, and that although they have no specific evidence that any resident’s information was accessed, acquired, or misused, they were notifying every client and former employee whom BFE knew to reside in New Hampshire – 430 individuals.
Those notified were offered one year of free identity protection, credit-monitoring, and fraud assistance services with AllClear ID.