Prevendra - Ameriprise FInancial

Financial Advisor at Ameriprise exposes millions in assets via NAS

Christopher Burgess Blog, Data Breach (Financial, Education, Business, Government, Healthcare), Information Security

Do you use a financial advisor? I do, and I recommend mine to others without reservation. Part of that recommendation comes from the manner in which the account data is secured, which provides me more than a modicum of assurance that the folks managing my money are not asleep at the switch when it comes to protecting my identity (and thus my assets).

Most financial firms of note have in place good to adequate security. And yes, like every industry, convenience is sometimes sacrificed (a little) to provide the level of security necessary to insure your data is protected. The convenience factor is a two-way street.

You the consumer need to have access to your own information and accounts; your financial advisor also needs access to your information and accounts. If either of you get lazy and bypass the established security and privacy implementations, then your data is being placed at risk.

And this is exactly what happened in the case when the Financial Data Worth Millions Unwittingly Exposed In Ameriprise Accountsthough it appears that Ameriprise and the advisor are at odds on what constitutes security.  From our optic, both failed!  The NAS (Network Attached Storage) device which housed the backup data of the financial advisor, had no security implementation in place.  

The financial advisor apparently backed up his client’s data to unsecured NAS. The advisor’s client’s data were included in the depository. Not just client account with Ameriprise, but all their accounts and their passwords … thus exposing for any who know how to scan the internet (Shodan was used in this instance) to see.   What exactly was available for harvesting?  Here are a two screenshots.

The first screenshot details the internal account details of the clients. Those portions which would expose the individual accounts of the client and the access credentials – the screenshot had been redacted and the password column omitted. In few words, a total compromise of the client’s financial accounts occurred.

Prevendra - Ameriprise Compromise 2

The second screenshot provided by the security researcher Chris Vickery is the questionnaire the financial advisor provides to Ameriprise in which data handling is discussed. 
Prevendra - Ameriprise Compromise

What to ask your financial advisor?

The financial industry is high on the threat list for lucrative harvesting by cyber criminals, we don’t need to intrust our fiscal assets with those who aren’t interested in protecting those assets.

Use the considerable assets of FINRA to fact check and augment your knowledge of the financial advisory industry and best practices. FINRA is there to protect you the investor and their tip-sheet (2 page pdf: Keeping Your Account Secure) is a good primer.

When engaging with your financial advisor ask some pointed questions on how your data is protected and secured!

  • Do you transmit my account data via unencrypted email? (Are they attaching a .pdf and winging it to you?)
  • Personal information forms and medical data for annuities, life insurance, etc. where are they physically stored?
  • How are they protected?
  • My external accounts (bank, brokerage, etc.) how is that data protected?
  • Who has access to my online account? Financial advisor? Supervisors? Analysts? (The more who have access the more opportunities to lose or misuse your data)

If you don’t like the answers or if their are no answers, find a new advisor.

Prevendra's Email Updates
Get the latest content first.
100% Privacy. We don't spam.