Posted On May 21, 2023 Consumer Privacy & Data Breaches
May 21 – Advisor Group notified the Massachusetts Attorney General’s office on May 8, 2023, of a data breach that occurred at R.R. Donnelly & Sons Company, a third-party vendor. According to the company’s official report, the breach led to the exposure of consumers’ names, Social Security numbers, and mailing addresses to an outside entity. Advisor Group started mailing data breach notification letters to all persons affected by the incident once it was confirmed that consumer data had been compromised.
If Advisor Group or one of its broker dealers notified you of a data breach, it is crucial that you know what information was compromised and what steps you may take to protect yourself. Anyone who received a data breach notification from Royal Alliance, FSC Securities, Woodbury Financial, or SagePoint Financial is at a higher risk of identity theft as a result of the hack that revealed victims’ Social Security numbers. Console & Associates, P.C.’s data breach lawyers are actively investigating the Advisor Group data leak. If you have received a breach notification and are concerned about the risks of identity theft and what you can do to protect yourself, we are offering free consultations where we can go through your legal possibilities for claiming compensation from Advisor Group.
Among the several brokerage dealers that make up Advisor Group are:
Advisor Group, with headquarters in Phoenix, Arizona, has a workforce of over 10,000 and yearly sales of over $3 billion.
According to the company’s filing with the Attorney General of Massachusetts, Advisor Group was recently informed of a cybersecurity incident at one of the company’s vendors, R.R. Donnelly & Sons Company (“RRD”). Evidently, Advisor Group relies on RRD to fulfill some of the company’s mailing needs, which is how RRD ended up in possession of information pertaining to Advisor Group’s clients.
Based on the Advisor Group filing, on December 23, 2021, RRD experienced a possible data security incident. In response, RRD secured its systems and launched an investigation to determine what, if any, consumer data was leaked as a result.
The Advisor Group does not mention when RRD let it know about the incident. However, it is surprising that nearly 18 months elapsed between the RRD data breach and Advisor Group customers receiving notice of the incident.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Advisor Group began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, Social Security number, and address.
On May 8, 2023, Advisor Group sent data breach letters to all individuals whose information was compromised as a result of the incident. Advisor Group recently learned of a cybersecurity vulnerability with one of its vendors, R.R. Donnelly & Sons Company (RRD), according to a filing with the Massachusetts Attorney General. It seems that Advisor Group uses RRD for its mailing purposes, which is how RRD obtained access to Advisor Group’s consumer data.
According to the filing by Advisor Group, a suspected data security issue occurred at RRD on December 23, 2021. As a consequence, RRD tightened security across the board and began investigating whether or not any private information had been compromised.
When exactly RRD notified the Advisor Group is not specified. It’s unusual that Advisor Group clients weren’t informed of the RRD data breach until almost 18 months after it happened.
Advisor Group started reviewing the affected files to identify what information was leaked and who was affected after learning that sensitive consumer data had been made accessible to unauthorized individuals. Your name, Social Security number, and address might have been compromised, albeit the specifics vary on who you are.
Advisor Group notified those whose personal information was exposed by sending them data breach notification letters on May 8, 2023.
If you get a notification from Advisor Group about a data breach, it is likely that your personal information was among the information compromised. Your personal information, including your Social Security number, may have been compromised.
Data collected by hackers via data breaches is often sold on the dark web for financial gain or identity theft. Consumers may take certain efforts to reduce their vulnerability to identity theft, but there are no foolproof ways to prevent their information from falling into the wrong hands.
We’ve compiled a short list of actions you should do immediately if you suspect a data breach has occurred at your organization. This is by no means an all-inclusive list, so if your bank accounts or Social Security number have been hacked, you may want to take further measures.
If a data breach compromises customer information, the affected consumers will be notified. The letters explain the nature of the breach, the measures Advisor Group is doing to protect your data going ahead, and whether or not anyone involved has been the victim of fraud or identity theft as a result of the incident. Read the data breach letter thoroughly before making any decisions.
If a data breach compromises your private information, you should immediately change the passwords to all of your online accounts. Even if you are aware of which accounts were hacked, you should change the passwords for all of them. Any account may be breached, giving hackers access to sensitive information.
Advisor Group will provide data breach victims no cost memberships to their credit monitoring service for a duration of 24 months. Credit monitoring is a service that alerts you if there is unusual activity on your accounts. Using Advisor Group’s no-cost service is a straightforward way to keep track of your credit accounts.
Credit freezes and fraud alerts, in contrast to credit monitoring, are offered at no cost by the three main credit agencies. When you put a freeze on your credit, no one may see your credit report without your permission. The Identity Theft Resource Center says that credit freezes are the best way to prevent fraud once your personal information has been stolen. A fraud alert is a notification sent to credit checking companies when suspicious activity is detected.
Once hackers get your information, they’ll move quickly, giving victims little chance to shut down their accounts and prevent the information from being used. However, the information from Advisor Group may not have been sufficient for the hackers to carry out their activities. If that’s the case, it might be many weeks or months before your information is put to use while they compile the additional information required to do so. Be on the lookout for any suspicious activity on your accounts.
The consumer privacy lawyers at Console & Associates, P.C. help customers affected by data and security breaches pursue legal solutions by offering free consultations. By explaining your rights in clear, concise terms, we help you make an informed decision about your next steps. If you are a victim of the Advisor Group data breach, Console & Associates, P.C. will investigate at no charge to you and offer advice on how to proceed. If you decide to pursue a case, rest assured that we don’t get paid unless you do. If your claim is successful, legal fees are either paid out of the funds recovered or by the defendant. If your claim is not successful, you pay nothing.
Below is a portion of the letter sent out to affected individuals:
I am reaching out on behalf of FSC Securities, Royal Alliance, SagePoint Financial, and Woodbury Financial (collectively, “Advisor Group”), the firm your financial professional uses to support their business operations. We were recently made aware of a security incident that occurred at one of our vendors – R.R. Donnelley & Sons Company (“RRD”), who fulfills some of our client mailings. We understand this news may be concerning, which is why we are committed to communicating with you transparently and helping you mitigate any risk. We have also shared this information with your financial professional.
WHAT HAPPENED? On December 23, 2021, RRD, identified a systems intrusion in its technical environment, and as a result, RRD promptly implemented a series of containment measures to address this situation including activating incident response protocols, shutting down servers and systems, and commencing a forensic investigation. RRD’s investigation subsequently revealed that your personal information appears to have been included in the data that was exfiltrated from their corporate data system, and it notified us of the same on January 17, 2023.
WHAT INFORMATION WAS INVOLVED? The personal information that was exfiltrated from RRD’s corporate data system included your name, address, and Social Security Number.
WHAT WE ARE DOING. Shortly after discovering the intrusion, RRD engaged forensic resources and third parties to assist in its evaluation of the intrusion and shut down all impacted servers. RRD believes to the best of its knowledge that the intrusion has been removed, and we have worked with RRD to ensure it has implemented proper data protection safeguards to better protect information from subsequent incidents.
WHAT YOU CAN DO. At this time, we are not aware of any misuse of the information. As a precautionary measure, we encourage you to remain vigilant for incidence of fraud and identity theft by reviewing account statements over the next 12 to 24 months, monitoring free credit reports, and promptly reporting any suspicious activity. Additionally, we have arranged for you to enroll, at your option, in a 24 Month membership of Experian’s® IdentityWorksSM at no cost to you. This product provides you with superior identity detection and resolution of identity theft.