Resnick Investment Advisors is victim of unauthorized intrusion

|

Date Reported:
7/21/10

Organization:
Resnick Investment Advisors, LLC

Contractor/Consultant/Branch:
None

Location:


Victims:
Clients

Number Affected:
Undisclosed

Types of Data:
Account information

Breach Description:
Resnick Investment Advisors, LLC has notified the New Hampshire Attorney General of an "electronic intrusion" of their computer network that could have exposed client account information to an unauthorized third party.  The alleged incident took place sometime in June, 2010.

Reference URL:
New Hampshire Attorney General breach notification letter(s)

Report Credit:
The New Hampshire Attorney General

Response:
From the online source cited above:

Letter written to the New Hampshire Attorney General by Resnick's outside legal counsel, Marshall, Dennehey, Warner, Coleman & Coggin:

We are writing on behalf of our client, Resnick Investment Advisors, Inc. ("Resnick").

In June 2010, Resnick experienced an electronic intrusion of its computer network by an outside party.

Resnick discovered the intrusion on or about June 22nd.

Resnick identified the means of the unlawful intrusion, and we reported the incident to the FBI.
[Evan] Use care in how and when you contact law enforcement with respect to a suspected information security related incident.  Consider which law enforcement agency is best given the circumstances surrounding the incident.  Before reporting the crime, ask yourself a couple of questions.  What is your motivation for reporting the crime?  What are your expectations from the agency?  The FBI will do what they can, but you need to understand the fact that they may have a substantial caseload involving incidents that are more significant in scope and/or impact.  All of these things (and much more) should be documented in your incident response procedures.  You do have incident response procedures, right?

An investigation by Resnick's IT service provider leads us to believe that the motive of the intruder was not to access records of Resnick's clients, but rather to launch a malicious attack on another entity using Resnick's corporate identity.
[Evan] This scares me a little (OK, maybe a lot).  To give the benefit of the doubt, I don't know the skill set or level of expertise that Resnick's "IT service provider" possesses.  I just know from past experience that IT service providers do NOT make good information security professionals, incident response specialists, or forensic analysts.  Information security, and especially incident response requires specialized skills that are not commonly found in an IT service provider's repertoire.  A poor response and/or poor investigation often destroys evidence, prohibits root cause analysis and eventual prosecution.  Next point.  How did the IT service provider determine the motive of the "intruder"?  I would be more interested in using factual data surrounding the incident to determine the series of events from start to finish.  What data did the "intruder" access?

In fact, we have no evidence that client accounts were accessed, altered or affected.
[Evan] We don't know what the evidence supports.

The controls in place on Resnick's network do not allow files to be downloaded.
[Evan] This remark is mentioned a couple of times and is a little confusing to me.  If an unauthorized person has gained access, what prohibits them from downloading files?  What type of access is allowed?

As a precautionary measure, Resnick is notifying its clients of this incident and offering them credit monitoring through Experian.

Resnick has in place administrative and technical procedures consistent with safeguarding its client's personal information in order to avoid a reoccurrence of any such incidents.

Resnick is also continually reviewing its policies and procedures and working with its IT service provider to further enhance the security of its network.

Resnick has implemented additional login procedures for access to its network, restricted remote access and deployed additional logging and monitoring on its network.
[Evan] Does this statement provide some hint about how the "intruder" may have gained unauthorized access to the Resnick network?

Resnick continues to work with its IT service provider to take the necessary and appropriate steps to further secure its computer network in order to help avoid future incidents.
[Evan] Like what?  The statements provided by the organization are too vague.  If I were a client (information owner), I would want to know more!

From the letter to affected clients:

Throughout our 20 year history, Resnick Investment Advisors, LLC has always considered the privacy and security of your personal information to be of the utmost importance, and we take significant measures to protect it.
[Evan] Demonstrate the "utmost importance" by hiring specialized talent to adequately secure your information resources.  IT services providers are used to provide IT services.  Information security professionals are used to secure information.  Information security is NOT an IT issue.

Regrettably, however, we are writing to notify you that, in June 2010, we experienced an electronic intrusion of our computer network by an outside party.

We have identified the means of the unlawful intrusion, and reported the incident to the FBI.

We also have contacted our IT service provider who has assisted us in responding to this situation, and in taking the necessary and appropriate steps to further secure our computer network.

We have no evidence that client accounts were accessed, altered, or affected, but you should immediately report any unauthorized activity in your Resnick accounts to your financial advisor.

We also have no reason to believe that any of your personal information was accessed by the intruders, and the controls in place on our network do not allow files to be downloaded.
[Evan] If the company has NO reason to believe that personal information was accessed, then why are they notifying clients?  Maybe a better statement is we have "little reason to believe".  You see what I'm saying?  Words are powerful and sometimes misleading.

Our IT service provider's investigation leads us to believe that the motive of the intruder was not to access records of our clients, but we are notifying you of this event in an abundance of caution.

Also in an abundance of caution, we are providing you with a free one-year membership in Triple Alert from ConsumerInfo.com, Inc.
[Evan] People who know me or have followed me for a while know how much I dislike the "abundance of caution" statement made by companies.  These guys used it twice!

Please be reassured that we have acted responsibly in handling this situation.
[Evan] A rare statement.

We have established a call center to address any questions you may have regarding this event; please call .

Commentary:
It would not be my recommendation to rely on your IT service provider as a primary source of information security guidance.  It would also not be my recommendation to use your IT service provider as the primary incident responder or investigator.  We (FRSecure ) work closely with many IT service providers and our mutual clients to address information security issues.  An IT service provider compliments our work and the partnerships have worked out very well.

Past Breaches:
Unknown

Posted by Evan Francen at 7/27/2010 9:06 PM
Categories: Resnick Investment Advisors, Intrusion
 
Trackbacks
Trackback specific URL for this post
  • No trackbacks exist for this post.
Comments
Display comments as (Linear | Threaded)
Page: 1 of 1
  • 8/2/2010 3:25 PM Tom Linn wrote:
    Sign me up please. Thanks Evan.
    Reply to this
    1. 8/2/2010 4:35 PM Evan Francen wrote:
      You are signed up Sir.  Of course, you will need to confirm.  Check your email.  Thanks!
      Reply to this
  • 8/9/2010 2:34 PM Nathan wrote:
    The letter from these people to my wife looked suspiciously like a sales pitch for the credit monitoring service. After the year of free coverage, they state that they will happily start billing you unless you cancel... Um, no. As far as we are aware, my wife has no relationship with Resnick anyway. Unless these records were decades old and it could be from when she was a child??? But I think it smells more like an attempt to scare people who aren't necessarily even clients into trying out and forgetting to cancel the credit monitoring service. I notice that there was no mention of the *free credit report* that, as I understand it, we would be owed if she were truly a client whose data was affected. Just an offer for a free trial of the monitoring service.

    Curious what you think of my theory.
    Reply to this
    1. 8/20/2010 8:23 AM Evan Francen wrote:
      Well for one, this breach is real.  If I were in your shoes though, I would be asking these same types of questions.  I would not put it past Experian to use this breach as an opportunity to make money in anyway they can.  Of course they will come off as though they want to help you, but in the end they really want to make money.  Personally, I am biased when it comes to the three credit bureaus.  They are a big reason why people are in this whole identity theft mess in the first place.  I won't go into detail here.

      Have you contacted Resnick and asked them what information they have about you?  Demand answers about how they got your information, and why they still have it.

      Your theory could hold water.  I have no evidence to support it, but your general distrust for the system is shared by many.

      Thank you for reading and commenting!
      Reply to this

Page: 1 of 1
    Leave a comment