Cyber Incident Victim: Aperio Group
Date:
Aug 2017
Location:
United States of America
Summary
A financial services firm experienced a data breach when two employees fell victim to phishing attacks, resulting in unauthorized auto-forwarding of emails to external accounts over several months. Compromised information included client account names, numbers, email addresses, and balances, primarily exposed through three unprotected emails containing spreadsheets. The organization confirmed no social security numbers or login credentials were accessed. Upon discovery, they notified law enforcement, implemented enhanced security measures to limit sensitive data in emails, and strengthened employee training protocols. While the total number of affected clients wasn't publicly disclosed, intermediaries received compromised account details, and no misuse of the exposed information was identified at the time.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Aperio Group data breach stemmed from a phishing attack compromising two employee email accounts, discovered on January 11, 2018. Between August 21, 2017, and the discovery date, all emails sent to these accounts were automatically forwarded to two external addresses without authorization. The attackers achieved this through successful phishing attempts that enabled email auto-forwarding rules. Aperio's investigation revealed the compromised data included client account names, account numbers, email addresses, and account balances. Notably absent from the breach were Social Security numbers and client login credentials, which reduced potential identity theft risks. Three specific unprotected emails containing spreadsheet attachments accounted for the majority of exposed sensitive information. The firm did not publicly disclose the total number of affected end-clients but committed to providing compromised account lists to financial advisors and intermediaries.
Upon discovery, Aperio terminated the unauthorized forwarding rules and launched an internal investigation to assess the breach scope. The company notified the Federal Bureau of Investigation (FBI) about the incident but stated no evidence suggested customer information had been misused. Aperio opted for conditional notification, informing investors directly only if their specific accounts were confirmed compromised in the three high-impact emails. Remedial actions included reducing sensitive data retention in email systems, enhancing employee cybersecurity training programs, and implementing stricter controls on email transmissions containing confidential information. The breach primarily exposed institutional client data managed through intermediary advisors rather than retail investor accounts. Aperio emphasized in communications that the absence of SSNs and credentials limited potential harm, though account-level financial details remained vulnerable to exploitation.