Recently, Private Client Services, LLC (“PCS”) confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer information through a compromised employee email account. According to the PCS, the breach resulted in the names, Social Security numbers, driver’s license numbers and state identification numbers being compromised. On May 27, 2022, PCS filed official notice of the breach and sent out data breach letters to all affected parties. In total, the company sent out 22,554 letters.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Private Client Services data breach, please see our recent piece on the topic here.
What We Know About the Private Client Services Data Breach
Based on the most recent filings from Private Client Services, LLC, on November 18, 2021, the company discovered suspicious activity on an employee email account. In response, PCS launched an investigation into the incident to determine the nature and scope of the unauthorized activity. This investigation confirmed that an unauthorized party gained access to an employee email account between November 4 and November 18, 2021.
After confirming the company experienced a data security incident, Private Client Services then sought to determine whether any sensitive consumer information was accessible through the email account.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Private Client Services then reviewed the affected files to determine what information was compromised and which people were affected. While the breached information varies depending on the individual, it may include your name, Social Security number, driver’s license number and state identification number. As many as 22,554 individuals are believed to have been affected by the PCS data breach.
On May 27, 2022, Private Client Services issued NOTICE OF DATA BREACH letters to all individuals whose information was compromised as a result of the incident.
More Information About Private Client Services, LLC
Private Client Services, LLC is an independent, privately-owned broker/dealer and registered investment advisor based in Louisville, Kentucky. Founded in 1990 as Kentucky Financial Group, PCS provides support to financial advisors across the country. In more recent years, the company has expanded the services provided to its corporate customers to include clearing services, back-office support services, and compliance services. Private Client Services employs about 25 people and generates approximately $5 million in annual revenue.
How Do Hackers Gain Access to Employee Email Accounts?
While PCS provided a good amount of detail regarding the recent breach, the company did not explain how the unauthorized party was able to access the employee email account containing the sensitive consumer information. Email-based cyber attacks can occur in a number of ways. However, the most common type of cyber attack involving unauthorized email access is a phishing attack.
Phishing attacks rely on principles of social engineering to get an employee to provide information to the hacker directly or download malicious software that allows the hacker to access the victim’s computer. Phishing attacks start with the hacker sending a legitimate-looking email asking for the recipient to either verify their identity or click on a link.
The information obtained through a successful email phishing campaign is often used to commit fraud or identity theft against the victim. While a company is certainly one of the victims of a phishing attack, the real victims are those whose information is stolen in these cyberattacks.
Phishing is very common and is one of the top causes of data breaches every year. According to a 2021 study, employees in the United States receive an average of 14 malicious emails per year. Some employees, such as those in the retail industry, receive an average of 49 malicious emails per year. These attacks are well-designed and appear to come from trusted sources. In fact, 86% of companies had at least one employee who clicked a phishing link in 2021.
Businesses are aware of the threat phishing attacks pose. Thus, it is essential that they take the appropriate steps to educate all employees about the risks and implement robust data security systems to detect unauthorized access. Given the high number of phishing attacks in recent years, many companies require employees to attend training to help them identify phishing attacks. However, there are also back-end data security measures that organizations can use to reduce the number of phishing emails that make it into employees’ inboxes.