Investment research firm Morningstar says that personal information including credit card numbers for clients, email addresses and passwords may have been compromised during an intrusion into its systems in April 2012.
Morningstar admits that the data was not encrypted at the time, and advised users to check credit card statements for evidence of fraud.
Around 2,300 users of the Morningstar Document Research system had their credit card information leaked, and a further 182,000 users may have had usernames and passwords compromised. The information was revealed in an SEC filing, and reported by Associated Press.
The investment research firm said, “A small subset of our clients’ credit card and other personal information may have been compromised because of an illegal intrusion into the Morningstar Document Research. We recently learned that this intrusion occurred around April 3, 2012.”
“The server in question housed information clients provided to us, and may have included first and last names, addresses, email addresses, user-generated passwords, and some credit card numbers. This information was not encrypted at the time of the intrusion.”
Morningstar said that it had introduced a more secure system since the breach, and that has sent notices via email to affected clients, as well as initiating password rsesets. The company also said it was working with law enforcement to investigate the breach. The company posted more detailed information, including advice for affected clients in a PDF on its news site.
“We don’t have any evidence to suggest that the information was misused,” the company said in its statement. “As a precaution, if you were among the small number of clients whose credit card information may have been compromised, you should look at your statements from last year and this year.We have arranged for clients whose credit card information may have been compromised to receive 12 months of free identity protection through Experian.”
Author Rob Waugh, We Live Security