Oxler Private Wealth Breach Exposes Client SSNs via Microsoft 365 Compromise

A Microsoft 365 account takeover at Oxler Private Wealth, a Rye Brook, New York-based wealth management firm, exposed Social Security numbers, financial account numbers, and driver's license numbers belonging to 239 individuals. The breach, which occurred over four days in late March 2025, was disclosed to the Maine Attorney General on July 31, 2025.

An unauthorized actor gained access to an employee's Microsoft 365 account between March 24 and March 27, 2025, accessing emails and files stored within the compromised mailbox. The firm discovered the intrusion on March 27 -- the same day the unauthorized access ended -- and engaged a cybersecurity firm to investigate. Oxler is offering affected individuals credit monitoring and identity theft restoration services through Kroll.

While 239 records may seem modest compared to the mega-breaches that dominate headlines, the nature of the data involved -- and the type of clients a private wealth firm serves -- makes this incident particularly consequential. Wealth management clients tend to hold significant investable assets, and the combination of SSNs and financial account numbers gives attackers everything they need to attempt wire fraud or account takeovers at custodian institutions.

Breach Timeline

The timeline of this incident follows a pattern common in Microsoft 365 compromises at small financial firms:

• March 24, 2025: Unauthorized access to employee Microsoft 365 account begins.
• March 27, 2025: Unauthorized access ends. Oxler Private Wealth discovers the breach the same day.
• March 27 – July 9, 2025: Third-party cybersecurity firm conducts forensic investigation and data review to determine what information was accessible in the compromised account.
• July 9, 2025: Data review completed. Affected individuals identified.
• July 31, 2025: Notification letters sent to affected individuals. Maine AG filing submitted.

The roughly four-month gap between discovery and notification is worth noting. While critics may view any delay as excessive, this timeline is actually faster than many investment advisory firms manage. The review period -- identifying exactly which emails and attachments contained personal information across a mailbox -- is often the bottleneck. Forensic teams must parse through every message and file the compromised account could access, a process that scales with the volume of data in the mailbox rather than the number of affected individuals.

What Data Was Exposed

The compromised Microsoft 365 account contained files and emails with the following data types:

• Social Security numbers
• Driver's license numbers
• Financial account numbers
• Names

For clients of a private wealth management firm, this data profile is especially dangerous. Unlike a retail breach where a stolen credit card number can be quickly canceled, the exposure of SSNs paired with financial account numbers creates a layered risk.

Attackers can use this combination to attempt fraudulent wire transfers, open new lines of credit, file false tax returns, or impersonate clients when contacting custodians and financial institutions by phone. High-net-worth individuals are already disproportionately targeted by social engineering schemes, and a data set like this provides the raw material for highly convincing impersonation.

The inclusion of driver's license numbers adds another vector. In many states, a driver's license number combined with an SSN satisfies the identity verification requirements for opening new accounts or requesting changes to existing ones.

How the Attack Happened

The breach vector -- unauthorized access to an employee's Microsoft 365 account -- points to a phishing or credential compromise attack. This is one of the most common attack patterns affecting financial advisory firms, and it has been accelerating as the industry has moved client communications and document storage into cloud-based platforms.

In a typical scenario, an employee receives a phishing email that mimics a Microsoft login page, an e-signature request, or a voicemail notification. The employee enters their credentials, and the attacker gains access to the full contents of their mailbox and OneDrive. If multi-factor authentication is not enforced -- or if the attacker uses an adversary-in-the-middle toolkit to capture session tokens -- the compromise can persist for days before detection.

This same pattern played out in the Ashton Thomas Private Wealth breach, where a phishing attack on another wealth management firm compromised data belonging to 1,644 individuals in October 2025. The Ashton Thomas incident analysis documented nearly identical tactics: Microsoft 365 account compromise, email and file access, and a multi-month notification timeline.

Microsoft 365 has become the dominant productivity platform for small and mid-size financial advisory firms, which means it has also become the dominant attack surface. The FBI's Internet Crime Complaint Center has reported that business email compromise -- the broader category that includes these account takeover attacks -- resulted in over $2.9 billion in reported losses in 2023 alone, with financial services firms among the most frequently targeted sectors.

Who Is Affected

Oxler Private Wealth reported 239 total affected individuals, with 2 Maine residents specifically identified in the state filing. The affected population likely consists of current and former clients of the firm, along with potentially some business contacts whose information appeared in the compromised employee's email.

As a registered investment adviser headquartered at 800 Westchester Avenue in Rye Brook, New York, Oxler Private Wealth serves a clientele that skews toward high-net-worth individuals and families. The firm's location in Westchester County -- one of the wealthiest counties in the United States -- suggests that affected clients may have substantial assets at risk if their exposed data is exploited for fraud.

Individuals who received notification letters from Oxler should take the offered Kroll credit monitoring seriously, but should also take independent steps: placing fraud alerts with the three credit bureaus, monitoring financial accounts for unauthorized activity, and remaining vigilant against phishing attempts that leverage the stolen personal data.

Regulatory Implications

Investment advisory firms operate under a distinct regulatory framework when it comes to cybersecurity, and this breach may trigger scrutiny from multiple directions.

SEC Regulation S-P, Rule 30 -- commonly known as the "Safeguards Rule" -- requires registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information. Following the SEC's 2023 amendments to Regulation S-P, firms now face stricter requirements around incident response plans and notification timelines. The SEC has made clear through enforcement actions that a breach itself is not necessarily a violation, but inadequate safeguards preceding the breach -- such as failing to enforce multi-factor authentication -- can be.

FINRA Rule 4370 requires member firms to maintain business continuity plans that address cybersecurity threats, and FINRA has increasingly incorporated cybersecurity into its examination priorities. If Oxler Private Wealth is also a FINRA-registered broker-dealer, the breach could prompt an examination cycle focused on the firm's email security controls.

New York's SHIELD Act imposes its own breach notification requirements on companies that hold private information of New York residents. Given Oxler's New York headquarters, the firm is subject to the state's notification timeline and security program requirements.

Beyond specific regulations, investment advisers owe a fiduciary duty to their clients. The SEC has argued that this fiduciary obligation extends to protecting client data, and firms that fail to implement reasonable cybersecurity controls risk enforcement actions framed around breach of fiduciary duty rather than specific technical violations.

The Bigger Picture

Oxler Private Wealth joins a growing list of investment advisory and wealth management firms that have disclosed breaches tied to email account compromises. Our breach tracker shows a clear trend: firms managing client wealth are being targeted specifically because of the value of the data they hold and -- in many cases -- the relative immaturity of their security programs compared to larger financial institutions.

The Edelman Financial Engines breach, disclosed in February 2026 and affecting 5,083 individuals, underscores that this is not a problem limited to small shops. Even firms with significant assets under management and larger operational footprints are vulnerable to account takeover attacks. The Garson Brothers Asset Management incident, affecting 167 individuals through a hacking attack in September 2025, rounds out a pattern that spans firms of every size.

The SEC has signaled repeatedly that investment adviser cybersecurity is a priority. The Commission's examination division has conducted multiple sweep examinations of adviser cybersecurity practices, and the 2023 amendments to Regulation S-P raised the compliance baseline for the entire industry. Firms that have not yet implemented conditional access policies, phishing-resistant MFA, and email security monitoring should expect that a breach will bring regulatory consequences alongside the direct harm to clients.

Microsoft 365 environments, in particular, require deliberate hardening. The default configuration of a Microsoft 365 tenant does not provide adequate protection for a firm handling sensitive financial data. Without conditional access policies, advanced threat protection, and audit logging, a single compromised credential can expose an entire client book.

Action Items for Investment Advisory Firms

Firms that want to avoid repeating Oxler's experience should prioritize the following controls:

1. Enforce phishing-resistant MFA on all Microsoft 365 accounts. FIDO2 security keys or certificate-based authentication eliminate the risk of adversary-in-the-middle phishing attacks that bypass SMS and authenticator app codes.

2. Implement conditional access policies. Block sign-ins from unmanaged devices, unfamiliar locations, and suspicious IP ranges. Require compliant devices for access to email and file storage.

3. Enable unified audit logging and mailbox auditing. Microsoft 365 audit logs are not enabled by default in all configurations. Ensure that sign-in logs, mailbox access events, and file access events are captured and retained for at least 90 days.

4. Deploy email threat protection. Microsoft Defender for Office 365 or a third-party email security gateway can catch credential phishing emails before they reach employee inboxes. Safe Links and Safe Attachments should be enabled at minimum.

5. Conduct tabletop exercises for email compromise scenarios. Staff should know exactly what to do when a suspected account takeover is identified -- including how to revoke active sessions, reset credentials, and preserve forensic evidence.

6. Review what data lives in email. Many firms allow sensitive documents -- account statements, tax forms, client onboarding paperwork -- to accumulate indefinitely in employee mailboxes. Implement retention policies that limit the blast radius of any single account compromise.

7. Engage the NIST Cybersecurity Framework as a baseline. For smaller firms without a dedicated security team, the NIST CSF provides a structured approach to identifying and closing the most critical gaps.

The pattern is clear and the playbook is well-documented. Microsoft 365 account takeovers will continue to be the dominant attack vector against wealth management firms until the industry treats email security as a core compliance obligation rather than an IT convenience.