Advisor Group Issues Alert for 2021 Vendor Data Breach Affecting Clients

Personal information exfiltrated from RRD’s corporate data system included users’ names, addresses and Social Security numbers.


The Advisor Group, a network of independent wealth management firms, sent out notice of a 2021 data breach that occurred at vendor R.R. Donnelley & Sons Co., putting users’ personal information, including Social Security numbers, at risk.

The organization alerted individuals of the security incident in a letter, dated May 8, on behalf of member organizations FSC Securities, Royal Alliance, SagePoint Financial and Woodbury Financial.

“On December 23, 2021, RRD, identified a systems intrusion in its technical environment,” the firm wrote in the letter. “RRD’s investigation subsequently revealed that your personal information appears to have been included in the data that was exfiltrated from their corporate data system, and it notified us of the same on January 17, 2023.”

As an Advisor Group vendor, RRD fulfills some of the firm’s client mailings. Personal information exfiltrated from RRD’s corporate data system included users’ names, addresses and Social Security numbers.

“Shortly after discovering the intrusion, RRD engaged forensic resources and third parties to assist in its evaluation of the intrusion and shut down all impacted servers,” the firm continued in the letter. “RRD believes to the best of its knowledge that the intrusion has been removed, and we have worked with RRD to ensure it has implemented proper data protection safeguards to better protect information from subsequent incidents.”

On August 12, 2022 Plaintiff Robin Forslund filed a data breach class action lawsuit against RRD in an Illinois federal court, alleging negligence and breach of privacy.

“Despite learning of the Data Breach in December 2021, Defendant did not begin notifying Plaintiff and Class Members until on or around August 5, 2022,” Forslund alleges. 

The class action states the company found outside actors first accessed Defendant’s systems on November 29, 2021, upon investigation. Personal information can and likely will be sold on the dark web as a result of data breach, the class action claims. 

“Plaintiff and Class Members now face a lifetime risk of identity theft, which is heightened here by the loss of Social Security numbers — the gold standard for identity thieves,” according to the lawsuit.

The Advisor Group said it was not aware of any misuse of the information at the time the notice was sent. However, the organization encouraged clients to remain vigilant for incidents of fraud and identity theft. Over the next 12 to 24 months, individuals should review account statements, monitor free credit reports and promptly report any suspicious activity.

Additionally, the firm arranged a 24-month membership of Experian’s IdentityWorksSM for clients at no cost.

The announcement is similar to a data breach reported on May 12 by the Retirement Clearinghouse LLC, an industry leader in driving forward the automatic portability of retirement plans. The firm alerted more than 10,500 individuals that their personal data, including individual retirement account numbers, may have been compromised, according to public filings in the states where they are located.

The Advisor Group is currently in the process of simplifying its network of independent wealth management firms under one unified brand. The firm will announce its new brand and naming on June 21, it announced in a press release Tuesday.

«