Ameriprise Data Breach
Here’s what we know: The data was coming from a Network Attached Storage device insecurely configured with no username or password required for access. This specific leaky device was not on the internal Ameriprise network, as it was physically located inside an Ameriprise employee’s home. But then how did it receive and store unencrypted, internal Ameriprise data? That’s the mystery.
It turns out that an identical NAS device exists within this employee’s satellite Ameriprise office, and somehow the devices were synchronizing with each other over the open internet. I found it through a random review of Shodan.io rsync results.
Out of an abundance of caution, Ameriprise has pulled both devices and will be examining them within an internal IT lab.
Through journalist Zack Whittaker, of CNET/ZDNET/CBS, I’ve heard that Ameriprise is claiming the company does not supply these devices to their offices. This may be at odds with what I was told by the affected financial advisor in question. I was informed that the very reason he had one of the devices in his house was because it is the same exact model of device they use at his office.
Now, that doesn’t necessarily mean that Ameriprise specifically deployed or even authorized the use of that device within the advisor’s office. However, an Ameriprise employee did indicate to me that the pulling and examining of the devices was, in part, to make sure there wasn’t a bigger problem to worry about. To me, that says there is at least some concern that more of these devices may be out in Ameriprise offices. That’s not to say there’s any reason to think more may be misconfigured in the same way, but it’s at least worth looking into as a possibility.
When Zack Wittaker asked how Ameriprise secures NAS devices that its offices may be using, Ameriprise’s PR people replied, “We provide a secure online storage solution for this information.”
I find it odd, then, that within the leaked data there is a confidential Business Continuity Plan (BCP), dated Feb. 4th, 2015, in which Ameriprise asks its advisors “Do you keep your backup computer records (i.e. hard drive, memory stick, etc.) at a location other than your office?”, to which the possible answers are “Yes”, “No”, and “N/A – (select this option if you are using an online solution)”.
Why would that question even exist if Ameriprise only provides a secure online storage solution?
Additional security and compliance documentation within the leaked files make plenty of references to physically securing flash drives and external hard drives, so Ameriprise has to know that these kinds of devices do actually exist within their offices. That’s essentially what a Network Attached Storage device is – one or more external hard drives connected to a computer network, generally for the sole purpose of data storage and backups.
The biggest question, that will probably never be answered, is whether or not I could have used any of the gathered credentials to gain access into Ameriprise’s internal network. Doing so would be a clear violation of the Computer Fraud and Abuse Act, which makes even attempting it off-limits to me and my research efforts.
One avenue that a real criminal hacker could have pursued would be cracking the password-manager backup files contained within the data trove. The financial advisor uses 1Password to manage his web credentials. This means that hashed versions of all his passwords were included. Only one “master password” would need to be cracked and then all of them would be made available in plain text. A password hint file was even included pertaining to this master password. Considering what’s in the hint file, I’m pretty sure the master password could be cracked.
If you’re an Ameriprise client, and received a notification letter about this event, I’d love to see a copy. There are still many questions to be answered and I’m hoping the affected clients are provided a detailed and accurate account of what transpired. Ameriprise is a big name and they should set the bar high with a detailed report of how this happened.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Researcher, Chris Vickery.