American financial planning company Ameriprise has experienced a major data leak, after information on investment portfolios worth millions of dollars was exposed on the Internet. Chris Vickery, a security expert at MacKeeper, detected this leak on 5 December using the Shodan connected device database.
Professional data on an incorrectly configured storage device
Chris Vickery reported discovering a large number of confidential documents containing data on Ameriprise and its clients: social security numbers, funds transfer authorisations and decryption keys concerning more than 350 clients and accounts worth several million dollars.
Example of a leaked client portfolio. Image credit: Chris Vickery
These documents had been stored on a network-access storage (NAS) device belonging to one of Ameriprise’s financial advisers. His professional NAS was set to synchronise to his personal NAS – and neither were protected with a user ID or password.
Poor backup security practices
Ameriprise reacted by taking both storage devices offline and informing the customers concerned. The company apparently supplied one device to the employee, which would indicate an internal security issue. Both devices are now being analysed by an internal IT lab.
Ameriprise denies using external storage devices. However, security documentation saved on the device itself contained information on how to secure external hard drives. The security documents therefore appear to disprove the company’s statement. Consequently, it is not yet possible to determine whether the leak is due to human error or structural issues at the company.
A list of client names and account numbers. Image credit: Zdnet.com, Chris Vickery
Data leaks – serious but increasingly frequent
This data leak shows the difficulty of securing data outside of the company’s perimeter. According to a 2016 report by law firm Baker Hostetler, employee negligence is the biggest cause of data security incidents.
In addition to raising employee awareness, companies can secure their external perimeters by scanning for data leaks on the dark web and open servers. This ensures they quickly become aware of any employees or partners who fail to respect security practices.