DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Aperio Group client account data breached by successful phishing attack

Posted on February 12, 2018 by Dissent

On January 30, Aperio informed advisors of a data breach that occurred when two employees’ email accounts were compromised by successful phishing attacks that resulted in auto-forwarding email from those accounts to two external accounts.

Aperio discovered the problem on January 11, 2018, and their investigation determined that all emails sent to those two accounts between August 21, 2017 and January 11, 2018 had been blind copied/forwarded to the two external addresses.

The compromised data included account names, account numbers, email addresses, and account balances.  Social security numbers and clients’ login credentials were reportedly not compromised.

Actual phishing email that was sent to numerous employees; two of whom fell for it. Aperio provided this to advisors and intermediaries. 

An FAQ on the incident, a copy of which was obtained by DataBreaches.net, indicates that Aperio did not disclose the number of affected end-clients, but indicated that it would be notifying advisors/intermediaries with lists of compromised accounts. At another point, in response to a query about how much data was compromised, the firm noted that three emails, out of the several thousand emails or so that had been copied/forwarded, had attached spreadsheets that were not password-protected. Those three emails and attached spreadsheets accounted for the vast majority of compromised data, Aperio claims.

Aperio did not immediately respond to an inquiry from this site asking how many clients had their account information compromised.

Significantly, Aperio noted that it was not aware of any indication of misuse of customer information by the time of the notification.  Aperio’s presentation to advisors  – a copy of which was also obtained by DataBreaches.net – seems to minimize the risks of adverse consequences to investors because no SSN were involved and no login credentials were compromised.

It’s almost as if Aperio never heard of credential stuffing or brute force attacks.

In any event, Aperio states that it is not aware of any misuse of the compromised data, and it does not instruct its advisors to necessarily notify investors of the breach:

Notify clients?

— Our understanding is no federal requirement

— Most states don’t require notification for the information compromised

— Five states do:  MA, NC, WI, KS, IL

— Two states require notifying state: AG, MA, NC

And in case advisors were wondering, Aperio makes clear that in most cases, they will not notify the advisor’s investors, and that they will only notify end-clients if three specific conditions are met. Aperio is a regulated entity, but not a FINRA-regulated entity. And they are probably quite relieved that so far, there has been no misuse of the data, because they claim that although they carry cyber-insurance for breaches, it would not cover this incident.

I think the bottom line may be that if you are an investor who does not live in MA, NC, WI, KS, IL , do not expect any notification from Aperio, and even if you live in one of those states, they may not notify you.  Whether your advisor will notify you, well, your guess is as good as mine at this point and will presumably depend on what the intermediaries’ legal counsel advise them about their obligations under state laws.

Aperio has notified the FBI, and working with their IT vendor, have taken steps to reduce the amount of sensitive information in internal emails. They have also strengthened employee training and restricted the ability of information to be transmitted by email, while strengthening the security of documents.


Related:

  • Two more entities have folded after ransomware attacks
  • Michigan ‘ATM jackpotting’: Florida men allegedly forced machines to dispense $107K
  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea's largest guarantee insurer
  • North Country Healthcare responds to Stormous's claims of a breach
Category: Business SectorCommentaries and AnalysesPhishingU.S.

Post navigation

← One Plugin, Over 4,200 Victims – When Thousands of Government Websites Were Hijacked to Mine Monero
NC: Coastal Cape Fear Eye Associates notifies patients after ransomware attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
  • Hacker group “Silent Crow” claims responsibility for cyberattack on Russia’s Aeroflot
  • AIIMS ORBO Portal Vulnerability Exposing Sensitive Organ Donor Data Discovered by Researcher
  • Two Data Breaches in Three Years: McKenzie Health
  • Scattered Spider is running a VMware ESXi hacking spree
  • BreachForums — the one that went offline in April — reappears with a new founder/owner
  • Fans React After NASCAR Confirms Ransomware Breach
  • Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack (1)
  • Infinite Services notifying employees and patients of limited ransomware attack
  • The safe place for women to talk wasn’t so safe: hackers leak 13,000 user photos and IDs from the Tea app

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Congress tries to outlaw AI that jacks up prices based on what it knows about you
  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard
  • Trump Administration Issues AI Action Plan and Series of AI Executive Orders
  • Indonesia asked to reassess data privacy terms in new U.S. trade deal
  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.