On August 9, 2022, Acorn Financial Services confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on Acorn’s network through an email-based cyber attack. According to Acorn, the breach resulted in names, addresses, dates of birth, driver’s license numbers, financial account numbers, Social Security numbers, and other account-related information being compromised. Recently, Acorn sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Acorn Financial Services data breach, please see our recent piece on the topic here.
Additional Details About the Acorn Financial Services Data Breach
According to an official notice filed by the company, on around April 22, 2022, Acorn Financial Services discovered unusual activity within an employee email account. In response, Acorn secured the employee’s email account and launched an investigation to learn more about the incident and whether it resulted in the leakage of any consumer data.
The company’s investigation confirmed that an unauthorized actor gained access to the employee email account, which Acorn knew to contain sensitive consumer data. Upon discovering that sensitive consumer data was accessible to an unauthorized party, Acorn Financial Services then reviewed the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, address, date of birth, driver’s license number, financial account number, Social Security number, and other account-related information.
On August 9, 2022, Acorn Financial Services sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Founded in 1984, Acorn Financial Services is a financial planning firm based in Livingston, New Jersey. The company helps individuals and small business owners grow and maintain their wealth through a variety of products offered through Royal Alliance Associates, Inc., some of which include life insurance, investments, annuities, long-term care insurance, disability income insurance, qualified and non-qualified retirement plans, key person insurance, and group health insurance. Acorn Financial Services employs more than 40 people and generates approximately $10 million in annual revenue.
How Do Hackers Access Employee Email Accounts?
In the notice provided to victims of the recent data breach, Acorn Financial Services noted that the incident leading to the breach occurred when an unauthorized party gained access to an employee email account. While the company did not mention how the unauthorized party or parties obtained the login credentials for the account, there are a few tricks hackers use to obtain access to employee email accounts
Most email-based cyberattacks, such as the incident leading to the Acorn breach, involve email phishing attacks. Phishing is a type of cyberattack where a hacker sends an employee of a company an email in hopes of getting the employee to prove the hacker with the information they need to access the email account. These emails come from a seemingly legitimate source and are designed to trick even the most discerning employees. For example, a phishing email may contain the company logo and come from a very similar domain name.
In the email, the hacker tries to trick the employee into giving them the information needed to access the employee’s email account. The hacker does this by relying on principles of social engineering to make the employee believe they are simply complying with a legitimate request. For example, a phishing email may inform an employee that,
They reached their email storage limit;
An email they sent was returned as undeliverable; or
There was an unauthorized login to their account, requiring a password reset.
Most often, hackers either include a simple request for information (i.e., “please verify your password”) or include a malicious link that, when clicked, takes the employee to an unrelated website where they are asked to input their login credentials. In some cases, hackers attach a malicious file to an email and indicate that the employee should download the file.
The Identity Theft Resource Center reports that phishing attacks made up a third of all cyberattacks in 2021. This makes phishing the single most common cyberattack. In large part, this is because phishing attacks are one of the easiest attacks to carry out and are highly successful. For example, according to a 2021 study, employees in the United States receive 14 malicious emails per year on average, and 86% of companies report that at least one employee clicked a phishing link in 2021.