Insecure NAS Device Exposes 350 Ameriprise Investment Accounts

A trove of data belonging to Ameriprise Financial was found earlier this month and included Social Security number, decryption keys and confidential internal company documents.

A trove of data belonging to Ameriprise Financial was found earlier this month that included Social Security numbers, decryption keys and confidential internal company documents. The breach is related to the use of a network attacked storage device that insecurely backed up data from an internal Ameriprise Financial network to an employee’s home.

MacKeeper security researcher Chris Vickery revealed the breach last week on his MacKeeper blog. The breach occurred sometime prior to Dec. 5, the date Vickery notified Ameriprise Financial and the owner the NAS of the insecure data.

“I discovered Social Security numbers, bank authorization details, confidential internal company documentation, decryption keys, and certificates all alongside approximately 350 client directories (representing millions of invested dollars),” he wrote.

Data stored on the NAS device did not require a username or password for access. It’s believed that the employee, who worked in a satellite office, was encouraged to securely back up data to an external location.

Ameriprise Financial responded immediately to knowledge of the breach and took the NAS device offline for further investigation. In a statement to Threatpost the company said, “This is an isolated incident pertaining to a single advisor practice. We immediately took the device offline upon discovering the issue and we are taking swift and appropriate action to notify the approximately 350 impacted clients and protect their accounts from unauthorized activity.”

According to Vickery’s research into the breach, he has heard two contradictory statements as to the use of NAS devices in satellite Ameriprise offices. According to third-party reports in the media, Ameriprise told several news outlets it does not authorize the use of NAS devices. However, Vickery found a document on the vulnerable storage device that appeared to be for surveying employees asking how they keep and maintain computer backups. The survey instructs: “Your client information may reside on the hard drive of your computer. Regular backups are required to protect your client data. You should also include computer backup information for AFAs in a separate location in this section.”

Furthermore, Vickery wrote, that the Ameriprise employee with the insecure NAS told him that Ameriprise was pulling and examining devices, “to make sure there wasn’t a bigger problem to worry about.”

“To me, that says there is at least some concern that more of these devices may be out in Ameriprise offices,” Vickery said.

Unknown is whether unprotected credentials found by Vickery would have been able to access Ameriprise’s internal network. “Doing so would be a clear violation of the Computer Fraud and Abuse Act, which makes even attempting it off-limits to me and my research efforts,” he wrote.

Of note, was the fact the financial advisor used 1Password to manage web credentials. “Only one ‘master password’ would need to be cracked and then all of them would be made available in plain text. A password hint file was even included pertaining to this master password. Considering what’s in the hint file, I’m pretty sure the master password could be cracked,” he wrote.

Suggested articles