Garson Brothers Breach: Wire Fraud Attack Exposes SSNs at NY Asset Manager

Garson Brothers Asset Management, a Bronxville, New York-based property management and real estate investment firm, disclosed a data breach affecting 167 individuals after an attacker compromised an employee email account in a wire fraud scheme. The Maine Attorney General filing, posted September 24, 2025, reveals that the firm detected unusual network activity on May 1, 2025, and traced the breach to unauthorized email access on May 19, 2025. Exposed data includes names and Social Security numbers.

The notification letter contains a revealing detail: "It appears that the goal of the threat actor was to use our email to commit wire fraud." This makes the breach a textbook business email compromise (BEC) case -- one of the most financially destructive attack categories tracked by the FBI's Internet Crime Complaint Center (IC3), which reported $2.9 billion in BEC losses in 2023 alone.

Timeline: From Network Intrusion to Notification

The sequence of events spans nearly five months:

May 1, 2025: Garson Brothers detected unusual network activity and engaged cybersecurity experts
May 19, 2025: Investigation identified unauthorized access to an employee email account
September 12, 2025: Address collection for affected individuals completed
September 16, 2025: Notification letters mailed via USPS First Class
September 24, 2025: Maine Attorney General filing submitted

The 146-day gap from discovery to AG notification falls within a range that has become standard for mid-size firms working through the forensic review process. The firm's AG letter, filed by Constangy, Brooks, Smith & Prophete -- a national firm that handles a high volume of breach notifications, including the recent NAHGA Claims Services incident -- describes the delay as the time needed for "a comprehensive review of the affected files" and collecting mailing addresses.

Compared to the 275-day delay in the Roger Keith & Sons Insurance breach, Garson Brothers moved faster. But 146 days still means affected individuals went nearly five months without knowing their SSNs were compromised.

A Wire Fraud Operation That Exposed Personal Data

BEC attacks typically target a company's financial operations -- accounts payable, wire transfers, real estate closings -- by impersonating executives or vendors through compromised email accounts. The attacker's objective is usually to redirect a payment to a fraudulent account. In Garson Brothers' case, the firm explicitly states the attacker sought to use its email system for wire fraud.

Property management and real estate investment firms handle frequent, high-value wire transfers: acquisition payments, tenant security deposits, vendor payouts, and investor distributions. This makes them prime BEC targets. An attacker who controls a legitimate email account at a firm like Garson Brothers can send convincing wire transfer instructions to banks, title companies, or investors.

The SSN exposure was likely collateral. Email accounts at property management firms often contain tenant applications, employee records, and investor documentation -- all of which include SSNs. The attacker may not have been seeking this data specifically, but once inside the mailbox, they had access to everything stored there. This secondary exposure creates identity theft risk for 167 individuals who had no connection to the wire fraud itself.

What Data Was Exposed

The notification confirms that names and Social Security numbers were involved, with the specific data elements varying per individual. Given Garson Brothers' description of itself as handling "the acquisition, development, and management of both residential and commercial properties," the affected population likely includes some combination of:

Current and former employees -- HR records, W-2 forms, direct deposit information
Contractors -- 1099 forms, tax identification numbers
Tenants -- Rental applications containing SSNs for credit checks

SSN exposure from a property management firm carries particular risk because these records are often paired with complete identity profiles used for background and credit checks: full legal names, dates of birth, current and previous addresses, and employment history.

BEC in Real Estate and Financial Services

Wire fraud targeting the real estate sector has been a persistent problem. The FBI's IC3 has flagged real estate transactions as one of the highest-risk categories for BEC schemes, with attackers specifically targeting closing transactions where large sums change hands on tight timelines.

For firms that straddle real estate and financial services -- as Garson Brothers does through its asset management activities -- the risk compounds. These organizations handle both the property transactions that attract BEC operators and the investor capital that creates additional wire transfer exposure.

FinSecLedger's breach tracker shows that email-based attacks remain among the top vectors across investment and financial services firms. The Ameriprise Financial Services phishing breach and the Ashton Thomas Private Wealth compromise -- both involving investment firms hit through email-based attacks -- underscore the pattern: financial services organizations of all sizes remain vulnerable to social engineering that targets email systems as the initial foothold.

Regulatory Context

As a New York-based firm managing real estate assets and potentially holding investor funds, Garson Brothers operates under several regulatory frameworks:

New York's SHIELD Act (Stop Hacks and Improve Electronic Data Security) requires businesses holding private information of New York residents to implement reasonable safeguards, including employee training on security awareness -- a direct control against BEC
The FTC's Safeguards Rule under GLBA applies if Garson Brothers is considered a financial institution, which asset management activities could trigger
If the firm holds SEC-registered funds, the SEC's cybersecurity disclosure rules may require reporting of material cybersecurity incidents

The wire fraud angle raises additional questions. If the attacker successfully redirected funds -- the notification doesn't say whether the wire fraud attempt succeeded -- the firm would face SAR (Suspicious Activity Report) filing obligations through its banking relationships, and potentially insurance claims under its crime/fidelity policy.

What Investment and Property Management Firms Should Do

Enforce MFA on all email accounts without exception. BEC attacks collapse when the attacker can't authenticate to the email account. Hardware security keys (FIDO2/WebAuthn) provide the strongest resistance to phishing-based credential theft.
Implement wire transfer verification procedures. Any wire instruction -- especially changes to previously known accounts -- should require out-of-band verification via a phone call to a known number. Never confirm wire details using the same email channel that could be compromised.
Purge sensitive data from email. SSNs, tax forms, and financial records sitting in employee mailboxes create liability that persists long after the original business purpose. Implement data retention policies that move sensitive documents to encrypted storage and purge them from email.
Deploy email security controls. SPF, DKIM, and DMARC protect outbound email from being spoofed. Inbound filtering with AI-based phishing detection adds another layer. Both are essential for firms that send wire instructions via email.
Pre-position your incident response. Garson Brothers engaged Constangy and forensic experts after the breach. Firms that establish these relationships in advance -- with pre-negotiated rates and SLAs -- can compress the investigation timeline and reduce the notification delay that leaves affected individuals exposed.