FinSecLedger
Breach Analysis8 min read

Conrad Capital Management, Inc. Data Breach Analysis

Analysis of the Conrad Capital Management, Inc. data breach disclosed 2026-04-15

By FinSecLedger
Records: 258
Vector: unknown
Status: confirmed
Occurred: Nov 11, 2025Discovered: Mar 8, 2026Disclosed: Apr 15, 2026
Exposed:NamesSSNdriver_licensefinancial_accounttax_id
Sources:Maine AG

Conrad Capital Management Breach Exposes Sensitive Financial Data After Four-Month Network Intrusion

Conrad Capital Management, Inc., a registered investment adviser, has disclosed a data breach affecting 258 individuals after an unauthorized actor maintained persistent access to the firm's network for nearly four months. The breach, discovered on March 8, 2026, exposed highly sensitive personal and financial information including Social Security numbers, driver's license numbers, financial account numbers, and tax identification numbers.

The incident highlights ongoing security challenges facing smaller investment management firms, which often lack the security resources of larger financial institutions but handle equally sensitive client data subject to the same regulatory obligations under the Gramm-Leach-Bliley Act.

Timeline of Events

The breach timeline reveals a prolonged intrusion with significant gaps between key milestones:

EventDate
Initial unauthorized accessNovember 11, 2025
Intrusion discoveredMarch 8, 2026
File review completedApril 6, 2026
Notification letters mailedApril 15, 2026

The unauthorized actor maintained network access for 117 days before detection—nearly four months of persistent access during which files containing sensitive client information were exfiltrated. This extended dwell time falls well above the industry median and suggests gaps in network monitoring and anomaly detection capabilities.

The 38-day gap between discovery and completing the file review, followed by a 9-day notification window, places Conrad's disclosure within typical ranges for breach response. However, the prolonged intrusion period itself raises questions about the firm's ability to detect unauthorized activity in its environment.

Data Exposure and Client Risk

The compromised data represents the most sensitive categories of personally identifiable information:

  • Social Security numbers — Primary identifier for identity theft and tax fraud
  • Driver's license numbers — Used for synthetic identity creation and account takeover
  • Financial account numbers — Direct pathway to unauthorized transactions and account compromise
  • Tax identification numbers — Enables fraudulent tax filings and business identity theft

For clients of an investment management firm, this combination creates acute risk. Unlike retail banking breaches where account numbers can be quickly changed, the exposed data types are largely immutable. Social Security numbers and tax IDs cannot be replaced without significant effort, and driver's license numbers require state-level reissuance processes.

The financial account exposure is particularly concerning in the investment advisory context. Client accounts at custodians could potentially be targeted for unauthorized transfer requests, especially if the threat actor obtained enough correlated data to pass verification procedures. Similar exposure of financial account data at other wealth management firms has led to downstream fraud attempts targeting high-net-worth individuals.

Attack Vector Analysis

Conrad's notification provides limited technical detail about the intrusion method, stating only that "an unauthorized person accessed the network" and "took copies of certain files." The lack of specificity leaves several possibilities:

Credential compromise remains the most common initial access vector for financial services firms. Phishing attacks targeting employees with network access, credential stuffing using leaked passwords, or exploitation of remote access systems without multi-factor authentication could explain the initial entry.

Third-party compromise cannot be ruled out. The breach at Ashton Thomas Private Wealth, another investment advisory firm, similarly involved unauthorized email access affecting client data. Investment advisers often rely on shared service providers for trading platforms, portfolio management, and client reporting—any of which could serve as entry points.

Vulnerability exploitation in perimeter systems, particularly VPN concentrators or remote desktop services, has driven numerous financial sector breaches. The November 2025 initial access date coincides with several critical vulnerabilities in common enterprise products.

The extended dwell time suggests the attacker operated with low visibility, possibly accessing systems intermittently or focusing on data collection rather than deploying detectable malware. Conrad's statement that it "immediately took steps to secure their network" upon discovery implies the intrusion was active when detected, not discovered through forensic review of historical logs.

Regulatory Implications

GLBA Safeguards Rule Requirements

As a registered investment adviser, Conrad Capital Management falls under the jurisdiction of the SEC and must comply with Regulation S-P, which incorporates GLBA Safeguards Rule requirements. The updated FTC Safeguards Rule (16 CFR Part 314), while directly applicable to non-bank financial institutions under FTC jurisdiction, establishes baseline expectations that SEC-regulated entities should meet.

Key requirements relevant to this incident include:

  • Access controls limiting information access to authorized personnel
  • Encryption of customer information in transit and at rest
  • Multi-factor authentication for accessing customer information systems
  • Continuous monitoring to detect unauthorized access
  • Incident response procedures including notification protocols

The four-month dwell time raises questions about Conrad's monitoring capabilities. The updated Safeguards Rule specifically requires "continuous monitoring or periodic penetration testing and vulnerability assessments" — controls that should detect persistent unauthorized access.

SEC Examination Priorities

The SEC's Division of Examinations has consistently prioritized cybersecurity in its examination of registered investment advisers. The 2026 examination priorities explicitly reference:

  • Policies and procedures for protecting customer records and information
  • Safeguards for remote access to customer data
  • Incident response and notification procedures
  • Third-party risk management

Conrad should anticipate SEC examination scrutiny following this disclosure, particularly around its pre-breach security posture and the adequacy of its detection capabilities.

State Breach Notification Compliance

The Maine Attorney General notification indicates Conrad has complied with that state's breach notification requirements, which mandate notification within 30 days of determining that a breach has occurred. The April 6 determination date and April 15 notification fall within this window.

However, affected individuals likely reside across multiple states. Investment advisers typically serve clients nationally, meaning Conrad must navigate varying state notification requirements. Several states, including New York and California, have notification timing requirements that could apply depending on client geographic distribution.

The Bigger Picture: Investment Adviser Security Gaps

This breach reflects a persistent pattern in the financial sector: smaller investment advisers and wealth management firms facing the same threat actors as major banks but with significantly fewer security resources.

FS-ISAC threat intelligence indicates that investment advisers are increasingly targeted precisely because of this resource asymmetry. These firms hold high-value client data—often for wealthy individuals with significant assets—while operating with IT staff measured in single digits rather than hundreds.

The Ameriprise phishing breach demonstrated how even larger wealth management operations remain vulnerable to targeted attacks. For smaller firms like Conrad, the challenge is magnified. They must secure client data against sophisticated threats while managing cybersecurity spending as a percentage of revenue that dwarfs what larger institutions face.

Industry data suggests investment advisers experience breach rates comparable to other financial services segments but typically take longer to detect intrusions and have higher rates of data exfiltration when breaches occur. The Conrad incident, with its 117-day dwell time and confirmed data theft, fits this pattern.

Action Items for Peer Institutions

Investment advisers and small financial institutions should review their security posture in light of this incident:

  1. Implement endpoint detection and response (EDR) with 24/7 monitoring. The extended dwell time in this breach suggests gaps in anomaly detection. EDR solutions with managed detection and response services provide enterprise-grade monitoring at costs accessible to smaller firms. Prioritize solutions that can detect data staging and exfiltration behaviors, not just malware signatures.

  2. Enforce multi-factor authentication on all remote access and sensitive systems. This includes VPN connections, email, cloud services, and any system containing client PII. SMS-based MFA is better than nothing but hardware tokens or authenticator apps provide stronger protection against phishing and SIM-swapping attacks.

  3. Conduct privileged access inventory and implement least-privilege principles. Identify every account with access to client data repositories. Remove standing privileges where possible and implement just-in-time access for administrative functions. The fewer accounts that can access sensitive data, the smaller the attack surface.

  4. Deploy data loss prevention (DLP) controls on endpoints and network egress. The Conrad breach involved file exfiltration—copying client data out of the environment. DLP solutions can detect and alert on bulk file transfers, unusual data access patterns, and attempts to move sensitive data to unauthorized destinations.

  5. Engage a third-party security firm for annual penetration testing and tabletop exercises. Many smaller advisers rely on compliance-driven security assessments that check boxes without testing real-world attack scenarios. Penetration testing that specifically targets client data access paths, combined with incident response exercises, identifies gaps before attackers exploit them.

Conclusion

The Conrad Capital Management breach serves as a reminder that threat actors make no distinction based on firm size. The 258 affected individuals entrusted their most sensitive financial information to an adviser that, despite regulatory obligations, experienced a four-month intrusion resulting in confirmed data theft.

For the affected clients, the one-year credit monitoring offer represents a minimal remediation for exposure that creates permanent identity theft risk. For peer institutions, this incident should prompt immediate review of network monitoring capabilities and data access controls—before their own extended-dwell-time breach makes headlines.

Tags:breachinvestmentnamessndriver_license

Related Analysis

Bank3 Data Breach Analysis
9 min read
Nicholas H. Safford & Co., Inc. Data Breach Analysis
8 min read
OneDigital Investment Advisors LLC Data Breach Analysis
8 min read
DOUGLAS M SMITH & CO CPAS Data Breach Analysis
9 min read