Ameriprise adviser’s data breach offers cybersecurity lesson

Ameriprise Financial shut down the internet-connected backup drive its adviser was using to synchronize files from his office to his home as soon as it discovered client data was at risk earlier this month.
The Minneapolis-based firm, which manages about $796 billion in assets, said it was an isolated incident that pertained to only one adviser. But Ameriprise, which has about 10,000 advisers, still had to reach out to warn the clients of that unnamed adviser.
“We are taking swift and appropriate action to notify the approximately 350 impacted clients and protect their accounts from unauthorized activity,” the firm said in a statement Monday.
Stopping this kind of unsafe data handling is one of the greatest security challenges for financial firms, according to experts.
(More: Broker-dealers deploying advanced cybersecurity measures)
Careless actions of employees are responsible for about 59% of cyberattacks on businesses, according to a recent study by Kapersky Labs.
“On the technology side of things, there is an increasing sophistication of firewall protection and detection if someone suspicious gets into a financial institution’s system,” said Robert Cattanach, cybersecurity expert and law partner at Dorsey & Whitney, speaking generically about the financial industry. “Human error is a hard thing.”
Firms need to have strict policies and procedures about handling data, as well as specific encryption and password rules, he said.
(More: Cybersecurity solutions to weak passwords)
Also, training needs to be nonstop, Mr. Cattanach said.
Regulators continue to push initiatives in this area.
In September, New York’s Department of Financial Services proposed rules requiring financial institutions have a cybersecurity program that would protect consumers, including written policies and a designated chief information security officer to oversee and enforce the program.
The rules also would mandate cybersecurity training for employees at financial institutions and require reporting of hacking attempts to the state within 72 hours of their discovery.
And in some cases, regulators have held financial firms liable for breaches.
An investment advisory firm agreed to pay $75,000 to settle Security Exchange Commission charges last year for failing to have a cybersecurity policy in place before a computer breach compromised 100,000 individuals’ personal information, including records of some of the firm’s clients. The firm, R.T. Jones Capital Equities Management, stored personal client and other information on a third-party-hosted web server that was breached by an unknown hacker from China who gained access to the data, the SEC alleged.
In the Ameriprise case, Social Security numbers, bank authorization details and other information for the adviser’s 350 clients were coming from a storage device in the adviser’s home, according to a Dec. 15 MacKeeper blog post by internet security researcher Chris Vickery. He wrote that he found the client data on a random perusal of Shodan, a search engine for unsecured devices connected to the internet.
Mr. Vickery said he did not try to use any of the credentials to gain access to Ameriprise’s internal network.
Mr. Cattanach said firms in general need to constantly be improving their cybersecurity procedures and monitors.
“Wherever we are today, tomorrow we’re going to have to get better because the bad guys get better too,” he said.

Related Topics: Ameriprise Financial