Wells Fargo Advisors Financial Network filed a lawsuit on Monday against yet-to-be-identified hackers of a Portland, Oregon firm’s computers, illustrating the innovative attempts that frustrated firms are taking to battle cybersecurity attacks.
In a complaint captioned Wells Fargo Advisors Financial Network, LLC v. John Does (1 through 10) that was filed in U.S. District Court in Oregon, Wells said that unknown hackers in the Dominican Republic had compromised a business computer at Steinberg Investment Group, a three-person firm that affiliated with LPL earlier this month after a decade with Wells’ independent channel.
The lawsuit, which Wells said will be amended as more details about the alleged hackers become known, seeks compensation for actual costs related to bulking up security systems and recovering lost data—including the cost of an audit by an independent third party to verify the missing data—as well as reputational damages.
The hackers breached the computer of Lance Steinberg, the firm’s owner, on April 2, obtained login credentials to access his company account at GoDaddy and intercept incoming emails, and accessed his personal Capital One and Amazon accounts, according to the complaint. They rerouted intercepted emails to a server they controlled, it said.
Steinberg, who is not a plaintiff in the lawsuit, did not return a request for comment.
“The security of our clients’ accounts and information is a priority at Wells Fargo,” a Wells Fargo Advisors spokeswoman wrote in an e-mail.
In its complaint, Wells said Steinberg “took reasonable and appropriate steps,” including using password protections and anti-virus software and following Wells Fargo’s information technology safety protocols. The broker discovered the compromises when he returned from traveling and discovered “multiple open Internet browsing sessions” that he did not initiate, the lawsuit said.
Steinberg learned of the e-mail interception a day after the alleged attack when a client called to ask why he was not responding to a message.
The lawsuit is “a final step in closing out our investigation of this matter,” the spokeswoman said, noting that Wells’s own computer network has not been compromised and that no Steinberg clients have reported suspicious activity in their accounts.
While details of the hacking are not spelled out in the lawsuit, it is reasonable to suspect a phishing scam in which people release login credentials unintentionally in response to emails or phone calls, said Bill Winterberg, founder of FPPAD, an Atlanta-based financial technology consulting firm to advisory practices.
“It’s hard to say how common it is,” Winterberg wrote in an email. Most small advisory firms have learned not to keep software on their computers that would allow remote access, he said.
The North American Securities Administrators Association, which represent state securities regulators, announced in September that it uncovered nearly 700 deficiencies in 1,200 recent exams of investment advisers. The flaws ranged from out-of-date virus protection software to lack of procedures for securing devices or limiting access to them.
“Cybersecurity remains one of the top compliance risks for financial firms,” the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations said in a risk alert in August.