On January 30, Aperio informed advisors of a data breach that occurred when two employees’ email accounts were compromised by successful phishing attacks that resulted in auto-forwarding email from those accounts to two external accounts.
Aperio discovered the problem on January 11, 2018, and their investigation determined that all emails sent to those two accounts between August 21, 2017 and January 11, 2018 had been blind copied/forwarded to the two external addresses.
The compromised data included account names, account numbers, email addresses, and account balances. Social security numbers and clients’ login credentials were reportedly not compromised.
An FAQ on the incident, a copy of which was obtained by DataBreaches.net, indicates that Aperio did not disclose the number of affected end-clients, but indicated that it would be notifying advisors/intermediaries with lists of compromised accounts. At another point, in response to a query about how much data was compromised, the firm noted that three emails, out of the several thousand emails or so that had been copied/forwarded, had attached spreadsheets that were not password-protected. Those three emails and attached spreadsheets accounted for the vast majority of compromised data, Aperio claims.
Aperio did not immediately respond to an inquiry from this site asking how many clients had their account information compromised.
Significantly, Aperio noted that it was not aware of any indication of misuse of customer information by the time of the notification. Aperio’s presentation to advisors – a copy of which was also obtained by DataBreaches.net – seems to minimize the risks of adverse consequences to investors because no SSN were involved and no login credentials were compromised.
It’s almost as if Aperio never heard of credential stuffing or brute force attacks.
In any event, Aperio states that it is not aware of any misuse of the compromised data, and it does not instruct its advisors to necessarily notify investors of the breach:
Notify clients?
— Our understanding is no federal requirement
— Most states don’t require notification for the information compromised
— Five states do: MA, NC, WI, KS, IL
— Two states require notifying state: AG, MA, NC
And in case advisors were wondering, Aperio makes clear that in most cases, they will not notify the advisor’s investors, and that they will only notify end-clients if three specific conditions are met. Aperio is a regulated entity, but not a FINRA-regulated entity. And they are probably quite relieved that so far, there has been no misuse of the data, because they claim that although they carry cyber-insurance for breaches, it would not cover this incident.
I think the bottom line may be that if you are an investor who does not live in MA, NC, WI, KS, IL , do not expect any notification from Aperio, and even if you live in one of those states, they may not notify you. Whether your advisor will notify you, well, your guess is as good as mine at this point and will presumably depend on what the intermediaries’ legal counsel advise them about their obligations under state laws.
Aperio has notified the FBI, and working with their IT vendor, have taken steps to reduce the amount of sensitive information in internal emails. They have also strengthened employee training and restricted the ability of information to be transmitted by email, while strengthening the security of documents.