On July 29, 2022, RetireOne, Inc., a platform for fee-based insurance solutions developed and maintained by Aria Retirement Solutions, Inc., experienced a data breach after an unauthorized party gained access to sensitive consumer data through a compromised employee email account. According to Aria, the breach resulted in the names, Social Security numbers, driver’s license numbers, dates of birth and financial account information belonging to certain individuals being compromised. Aria also sent out data breach letters to all affected parties informing them of the incident and what they can do to protect themselves from identity theft and other frauds.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Aria Retirement Solutions data breach, please see our recent piece on the topic here.
More Info on the Aria Retirement Solutions Data Breach
According to an official notice filed by the company, On around September 1, 2021, Aria detected suspicious activity on one of its employee’s email accounts. In response, the company launched an investigation to learn more about what was going on. On September 20, 2021, the company learned that an unauthorized party had gained access to the employee’s email account. Aria was unable to determine which, if any, of the emails the unauthorized party accessed. However, the company confirmed that there were emails and attachments in the account containing sensitive consumer data.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Aria Retirement Solutions then reviewed the affected files to determine exactly what information was compromised. While the breached information varies depending on the individual, it may include your name, Social Security number, driver’s license number, date of birth and financial account information.
On July 29, 2022, Aria Retirement Solutions sent out “Notice of Security Incident” letters to all individuals whose information was compromised as a result of the recent data security incident.
Aria Retirement Solutions, Inc. is a financial services company based in San Francisco, California. The company creates and markets a range of products to registered investment advisors. Aria also created and maintains RetireOne, which is a platform for fee-based insurance solutions. Aria Retirement Solutions employs more than 25 people and generates approximately $5 million in annual revenue.
How Do Hackers Access Employee Email Accounts?
Aria Retirement Solutions explains in its “Notice of Security Incident” letter that the recently announced data breach was the result of an unauthorized party gaining access to an employee’s email account. However, one fact the company left out is how the unauthorized party was able to do so.
There are a few ways that hackers or other cybercriminals looking to steal consumer information can access employee email accounts. However, most email-based cyber attacks start off with a phishing email.
Phishing is a type of cyberattack in which a hacker sends an email from a seemingly legitimate source to an employee of an organization. These emails are well designed and look very much like official emails, for example, they may contain company logos and come from an almost identical domain name. In the email, the hacker relies on social engineering principles to “trick” the employee into giving them the information they need to access the employee’s email account. For example, the following are all common subjects of a phishing email:
-
The employee reached their email storage limit;
-
An email the employee sent was returned as undeliverable; or
-
There was an unauthorized login to the employee’s account, necessitating a password reset.
Most often, hackers either include a simple request for information or include a malicious link that, when clicked, takes the employee to a totally unrelated website that, again, appears legitimate. In some cases, hackers will attach malicious files to an email, asking the employee to download the file.
Phishing emails are incredibly common. In fact, according to the Identity Theft Resource Center, in 2021, a third of all cyberattacks involved phishing. Companies can prevent phishing attacks, however, by training employees to be on the lookout for these fraudulent emails.