Massachusetts Data Breach Exposes 139,000 Records

The breach occurred when personal information of tens of thousands of investment professionals contained on a CD-ROM was sent to IA Week, an investment industry publication, in response to a request for public information. IA Week had issued an information request of the office's Securities Division for a list of registered investment companies, but was instead sent a list of investment professionals.

A new employee was culpable for the breach by failing to delete the investment advisers' Social Security numbers and other private information, which is normally withheld for such requests.

Altogether, the exposed information included the investors' names, Social Security numbers, birth dates and locations, in addition to height, weight and hair and eye color.

IA Week however, returned the CD, claiming that it had not copied the data. Meanwhile, the Massachusetts Securities Division is pondering whether this qualifies as a data breach, due to the fact that the data was recovered and reportedly wasn't abused.

However, security experts beg to differ.

"The users should treat this as if their personal information is now at risk," said David Berman, director of product marketing for Voltage Security.

If gotten into the wrong hands, the exposed data could be used to obtain a fake ID, which can subsequently be used by hackers to infiltrate or open personal accounts using the victim's personal information, Berman said.

"There's a number of cases where people are interested in purchasing false IDs, whether it's a state DMV driver's license or identification card. That's a concern," he said. "That can create a lot of confusion when people open accounts using a piece of your personal information."

While the breach appeared to be an accident, Berman said that any exposure to personal information could have been prevented if the Massachusetts office had deployed basic encryption technology that would have masked sensitive data unintentionally saved to the disk.

"In this basic case, any encryption at all would have prevented sensitive data being leaked outside the institution," Berman said. "In this case, it's probably more than an unfortunate mistake. There are security best practices, operation processes and some technology requirements that this particular office doesn't have."