Not all data breaches stem from hacking; sometimes it just leaks out.
An employee working at financial planning giant Ameriprise unintentionally exposed personal information of customers, which included hundreds of investment portfolios worth tens of millions of pounds.
So you can say this is a big leak.
Discovery of the Ameriprise data leak
The data leak was discovered by Chris Vickery, a lead researcher for the security team at MacKeeper. Vickery noticed that the system was exposed while performing a random scan. The data was found on a network storage device at the employee’s home, which was set to synchronise over the internet with his backup drive at the office.
When Vickery found the chunk of data, he alerted and supplied the data to the company. One investment portfolio that was leaked involved a Massachusetts couple who had over £1 million in retirement funds. The portfolio also contained highly sensitive notes and letters which detailed the couple’s future plans.
What personal information was leaked?
Alarm bells are going off here as there was neither a secure backup system nor a password at the employee’s drive at home. This would’ve allowed almost anyone a full view of the sensitive information stored on his drive.
The information stored on the drive included social security numbers, bank accounts, and financial planning data on around 350 ‘high-value’ clients. The information leaked wasn’t restricted to just clients, and also contained personal information belonging to the employee, including a backup of his password manager’s data.
The database was found on Shodan, a search engine for open and unsecured databases for devices connected to the internet. As was the case for the employee’s drive.
Responsibility of the employee or the company?
The employee hasn’t been named, but his clients will be notified of the breach by the company. This could be because Ameriprise is one of the largest companies in America, if the employee was named, this could tarnish the reputation of that specific branch/franchise.
Ameriprise are taking the data leak very seriously given the tight regulations it has to abide by. As they retrieve both of the backup drives and examine them in an internal lab, I’m sure that they’ll come under fire for why the backup was left unprotected to start with. This highlights the lack of regulation that they have and/or the lack of enforcement powers on employees.
Employee blames the company
The employee blames the company for providing him with the office backup drive. However, the company denies this, saying: “we provide a secure online storage solution for this information”. When working from home, employees are required to file and sign an information security policy, which explains how the employees are responsible for safeguarding client information. Ironically, this was one of the documents that was exposed.
Regardless of whether it was the employee or the company at fault, both of them have the responsibility to ensure that their client’s personal information is stored securely. This is even more important where tens of millions of pounds of investment portfolios are at stake.