Cyber Incident Victim: Harvest
Date:
Feb 2025
Location:
France
Summary
Harvest experienced a cyberattack thatdisabled its SaaS platforms including Fidroit, O2S, Big, Quantalys, Prisme and MoneyPitch, leaving wealth‑management professionals unable to access their daily tools. The company has not released an official assessment of the damage, though its software holds extensive personal data such as addresses, emails, phone numbers, bank details and possibly medical information, raising uncertainty about whether a data leak occurred. It maintains a risk‑management framework with an incident‑escalation procedure, a risk committee, external audit support, a crisis cell and regular infrastructure updates, but the attack has prompted industry bodies to advise clients to document the incident with the CNIL and to notify affected individuals only if a breach is confirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On 27 February 2025, Harvest, the leading provider of wealth‑management software, experienced a cyberattack that disabled its SaaS offerings. Since the incident, the tools Fidroit, O2S, Big, Quantalys, Prisme and MoneyPitch have been unavailable to users. The company, led by Virginie Fauvel and described as a quasi‑monopolistic player in the market, stated that it maintains regular communication with its clients but had not issued an official statement about the attack at the time of reporting. As a result, wealth‑management advisors, banks and insurance firms that rely on these applications for daily operations have been unable to access their usual workflows.
Opadeo highlighted that the outage constitutes a loss of availability of personal data, which under GDPR triggers a data‑breach notification obligation, although it remained unclear whether any data had actually been exfiltrated. The O2S platform, in particular, stores extensive personal information including addresses, email addresses, telephone numbers, RIBs, patrimony details, identity documents and possibly medical data. Opadeo noted that Harvest’s security posture had been judged “rather serious” based on the vendor’s responses in July of the previous year, pointing to the existence of an incident‑management procedure, a risk committee, external audit support, a crisis‑cell activation process and regular updates to hardware and software environments. In reaction, Anacofi advised that, even if Harvest had already notified the CNIL as a subcontractor, the affected wealth‑management professionals must still document the breach internally, while the CNCGP informed its members of the steps to take with the CNIL and clarified that no loss‑declaration is required absent third‑party liability.
Philippe Loizelet, president of the ANCDGP, commented on LinkedIn that the disruption was amplified because several insurance companies and investment‑service providers had interconnected their own systems with Harvest’s platforms, triggering widespread activation of internal security plans. He noted that, at the time of his statement, the scope or confirmation of any data leakage had not been established. Loizelet urged each wealth‑management advisor, broker, IOBSP and CIF user to consider filing a CNIL notification within the 72‑hour window prescribed by the regulation. The article concluded with a message of support directed to Harvest Groupe, its CEO Virginie Fauvel and Delphine Asseraf.