Update on Morningstar Document Research breach

Reuters reports:

Investment research firm Morningstar Inc said personal information, including credit card details, of about 2,300 users of its Morningstar Document Research service may have been compromised due to a security breach last year.

The incident on April 3, 2012 may also have led to the leakage of names, addresses, email addresses and passwords, the company said in a filing on Friday.

Morningstar Document Research, formerly 10-K Wizard, provides a global database and search tool for company filings.

An additional 182,000 clients who had email addresses and user-generated passwords on the system may also have been affected, Morningstar added.

Read more on Reuters.  AP also covers the breach, here.

Both outlets seemingly learned about this breach via the firm’s 8K security filing.  Actually, if they had read DataBreaches.net, they would have known about this breach already weeks ago, although I didn’t know the number affected on June 18 when I uploaded a reader-submitted notification.

Here is the relevant section of the July 5  8k filing:

Security Incident with Morningstar Document Research

3. Can you detail the cause, timing, and nature of your recent security breach? What will its final cost be to shareholders?

We recently became aware that an illegal intrusion into the Morningstar Document Research (formerly 10-K Wizard) system occurred around April 3, 2012. As a result, a small subset of our clients’ personal information, such as names, addresses, email addresses, passwords, and credit card numbers, may have been compromised. The intrusion affected about 2,300 users whose credit card information was stored in the Morningstar Document Research (MDR) system. An additional 182,000 clients who had email addresses and user-generated passwords in the system may have been affected.

Earlier this year, we shut down the old servers and moved the data to a more secure infrastructure as part of a migration plan for MDR unrelated to this incident. We have taken additional steps to prevent unauthorized access to our systems to protect client information. We are also working with law enforcement officials and credit card companies as well as conducting our own investigations.

We take this matter very seriously and are working diligently to protect our client information and prevent this type of incident from happening again.

Protecting the integrity of our client information is of utmost importance to us. We have sent notices to MDR clients and reset their passwords. We have also encouraged MDR clients to be cautious about phishing scams and password protection. In addition, we have encouraged clients whose credit cards may have been compromised to monitor their credit reports and credit card accounts, and we are offering them 12 months of free identity protection through Experian’s ProtectMyID™ Alert program.

So the SEC filings are turning out to be an occasional source of useful details on breaches. But it’s not clear to me why I haven’t seen this breach on any of the state web sites that disclose breach reports.  In response to an inquiry from this site as to which states were notified, Morningstar spokesperson Margaret Kirch Cohen would only say that the firm “notified the authorities as required.”

According to Cohen, Morningstar first learned of the breach when they were notified of it by a client.

About the author: Dissent

Comments are closed.