Web server intrusion puts advisory clients at risk

Share this article:

An undisclosed number of accounts with Boston-based Windhaven Investment Management may have been compromised after an intruder accessed a web server maintained by a third-party.

How many victims? Undisclosed, but reports indicate Windhaven Investment Management manages roughly 44,000 accounts.

What type of personal information? Names, account numbers, custodians and investment positions.

What happened? There was an unauthorized intrusion on a web server maintained by a third-party vendor hired by Windhaven Investment Management. The intruder could have used this web server to access a database containing the personal information.  

What was the response? Windhaven Investment Management permanently disconnected the affected web server and database to prevent any potential access to information. Law enforcement has been alerted and an investigation is ongoing. Improvements are being made to Windhaven's security of confidential information and additional security is being added to accounts. Letters have been sent out to affected clients and they are being offered one free year of credit monitoring services.

Details: Windhaven Investment Management learned of the incident in August, but the actual incident occurred months earlier.  

Quote: “While we have not detected any specific indication that your information was accessed, we are informing you of this incident as a precautionary measure,” said Bryan Olson, president of Windhaven Investment Management, in the letter. “Please note that the database did not include your Social Security number, date of birth or information about any other accounts.”

Source: oag.ca.gov, “Windhaven Investments Sample Notice (PDF),” Sept. 19, 2013.

Share this article:

Sign up to our newsletters

POLL

More in The Data Breach Blog

Second burglary breach within a month for Coordinated Health

More than 700 Pennsylvania patients have been impacted after Coordinated Health experienced its second burglary-related data breach within a month.

Fate of unencrypted drive unknown, PHI of 5,500 in Virginia at risk

A Virginia-based chiropractic center is not quite sure what happened to an unencrypted thumb drive, which contained personal information - including Social Security numbers - on more than 5,500 patients.

Iowa State server breach exposes SSNs of nearly 30,000

The breach impacts Iowa State students where were enrolled at the university between 1995 and 2012.