(Image: file photo)
An advisor working for financial planning giant Ameriprise has inadvertently exposed hundreds of investment portfolios, worth tens of millions of dollars.
The data was found on an internet-connected backup drive at the advisor's home, which was set to synchronize over the internet with his primary backup drive at his office.
But neither drive had a password, allowing anyone to view sensitive client data.
The database was found on Shodan, a search engine for open and unsecured databases and devices connected to the internet.
On the drive was social security, bank account, and financial planning data on about 350 high-value clients. It also contained personal files belonging to the advisor, including a backup of his password manager's data, which contained his hashed credentials for the company's internal network.
A list of bank account and routing numbers was found in the exposed files.
The drive also contained the advisor's windows BitLocker recovery key for his encrypted work computer.
Chris Vickery, lead security researcher of the MacKeeper security research team, said in a blog post that he found the exposed Buffalo backup drive and alerted the company, which since secured the data.
He supplied a portion of the data, which detailed one Massachusetts couple's portfolio of more than $1.3 million in retirement funds, along with highly sensitive notes and letters detailing and describing the couple's future plans.
A financial portfolio overview of one couple, which was found on the leaky backup drive.
Ameriprise is one of the largest companies in the US, arguably a household name, which offers financial advice, planning, and wealth management services to its customers. The company has tens of thousands of advisors across the country, most of which are not full-time employees but are contractors who operate their own franchise, such as the advisor in this case.
We have made the decision not to name the financial advisor in this case, though his clients will soon be notified of the breach by the company.
Given the tight regulations that the company has to abide by, the company said it takes security seriously.
But what isn't clear is if this is an isolated exposure of data and limited to a few hundred clients scattered across the eastern seaboard, or if it's a systemic problem with its franchise operators across the company.
Ameriprise has confirmed that it pulled both backup drives and will examine them at an internal IT lab.
But questions remain about why the data was left on an unprotected backup in the first place.
The financial advisor told Vickery that the office backup drive was supplied by financial giant, which the company denies. "We provide a secure online storage solution for this information," an Ameriprise spokesperson said in an email.
The advisor also said that he never set his home backup drive -- the exact same model -- to synchronize. However, in a 2015-dated business continuity document, the advisor confirmed that he backs up his computer "weekly" to a backup drive located at his home address.
Both company staff and franchise workers are required to file and sign an information security policy -- ironically this document was one of the files exposed in the backup -- which explains how each advisor will safeguard confidential client data. One of the pointers warns advisors that client files sent over the internet that "are not adequately encrypted" could lead to unauthorized access.
An Ameriprise spokesperson called the data exposure an "isolated incident pertaining to a single advisor practice."
"We immediately took the device offline upon discovering the issue and we are taking swift and appropriate action to notify impacted clients and protect their accounts from unauthorized activity," said the spokesperson.
But Vickery said that there's no telling if this is a large scale problem among franchise workers.
"Additional security and compliance documentation within the leaked files make plenty of references to physically securing flash drives and external hard drives," said Vickery in his blog post .
"Ameriprise has to know that these kinds of devices do actually exist within their offices," he said.
If that's the case, it could pose a serious issue for Ameriprise -- and its customers.