Upstream Advisory Group Phishing Breach Exposes Client SSNs

North Carolina Investment Adviser Hit by 8-Day Phishing Attack Exposing SSNs and Health Data

Upstream Advisory Group LLC, a registered investment adviser based in Garner, North Carolina, disclosed a data breach to the Maine Attorney General on September 18, 2025, after a phishing attack gave an unauthorized individual access to a firm email account over an eight-day window. The compromised account contained names, Social Security numbers, and health insurance information -- a combination that creates dual risk for both financial identity theft and medical fraud.

The filing identifies 2 affected Maine residents, but the total number of individuals impacted was not disclosed in the Maine notification. The incident stands out for two reasons beyond the data exposure itself. First, the attacker maintained access to the email account from May 21 through May 28, 2025, returning at different times over that period -- a pattern consistent with sustained reconnaissance rather than a single opportunistic grab. Second, the notification letter contains an explicit jurisdictional objection, with the firm's outside counsel stating that "this notice does not waive Upstream Advisory's objection that Maine lacks personal jurisdiction over it regarding any claims relating to this incident." That kind of legal positioning in a breach notification is uncommon and signals the firm is anticipating disputes beyond the notification itself.

Timeline: 120 Days From Incident to Notification

The breach timeline reveals a familiar pattern in investment advisory firm incidents -- fast containment followed by a months-long investigation before affected individuals are notified:

• May 21–28, 2025 -- An unauthorized individual accesses a single email account at Upstream Advisory Group "at different times" over an eight-day window. The phrase "at different times" indicates multiple separate sessions, not a single continuous intrusion.
• Late May 2025 -- Upstream Advisory becomes aware of the incident, secures the compromised email account, and engages a third-party cybersecurity firm to conduct a forensic investigation.
• August 19, 2025 -- The investigation determines which individuals had personal information in the affected email account. The forensic team could not establish which specific emails the attacker viewed, so every email and attachment in the account had to be reviewed manually.
• September 18, 2025 -- Upstream Advisory files the breach notification with the Maine Attorney General and begins sending letters to affected individuals.

The gap from incident to notification is approximately 120 days. That timeline is consistent with what we see across the investment advisory sector -- the Ashton Thomas Private Wealth breach took 126 days from detection to disclosure. For comparison, the Ameriprise Financial Services breach achieved notification in 26 days, though Ameriprise had the advantage of same-day detection and significantly larger compliance resources.

The investigative bottleneck here was the inability to determine which emails the attacker actually opened. When forensic tools cannot establish the scope of access, firms are forced into worst-case-scenario analysis: assume everything in the mailbox was compromised and review every message. For a small RIA, that review can take months.

What Data Was Exposed

The notification identifies three categories of compromised data:

• Names -- standard identifying information
• Social Security numbers -- the highest-risk data element for identity theft
• Health insurance information -- creates exposure for medical identity fraud

The combination of SSNs and health insurance data from an investment advisory firm is unusual. RIAs typically handle financial planning documents, account applications, and tax forms -- not health insurance records. The presence of health insurance information in a firm email account suggests one of several possibilities: the firm provides employee benefits administration, the compromised account belonged to someone with HR responsibilities, or client financial planning files included insurance policy details as part of a holistic wealth management approach.

For an investment adviser, SSN exposure carries elevated risk because the firm likely holds detailed financial profiles for its clients. An attacker with a client's SSN and the knowledge that they are a wealth management client can target that individual with highly specific financial fraud -- account takeover attempts, fraudulent wire transfer requests, or new account openings at other institutions. The SSN alone is dangerous; paired with the context of an advisory relationship, it becomes a tool for precision fraud.

How the Attack Happened

The attack vector was email phishing -- the single most common method of initial compromise at investment advisory firms. An unauthorized individual gained access to one email account and returned to it repeatedly between May 21 and May 28, 2025. The eight-day access window with multiple sessions is textbook business email compromise (BEC) behavior. Attackers who gain email credentials through phishing typically do not exfiltrate data in one session. Instead, they return over days or weeks to monitor communications, harvest attachments, and identify high-value targets for follow-on attacks.

Phishing remains the dominant attack vector against investment firms. The Ameriprise Financial Services breach, disclosed in January 2026, involved the same phishing vector and affected 598 individuals -- a pattern we analyzed in our Ameriprise breach coverage. At Ameriprise, the attacker impersonated a client to trick an advisor into providing access. Whether the Upstream Advisory attack used a similar client-impersonation technique or a more generic credential-harvesting phishing email is not disclosed in the notification.

The critical question is whether multi-factor authentication (MFA) was enabled on the compromised account. An eight-day access window with repeated sessions strongly suggests either MFA was not in place or the attacker compromised the second factor. With MFA enabled, stolen credentials alone would not have granted persistent access across multiple sessions over eight days.

Who Is Affected

The Maine AG filing identifies 2 Maine residents among the affected population. The total number of individuals with data in the compromised email account is not stated in the publicly available filing.

Upstream Advisory Group LLC is located at 2624 Timber Drive, Suite 309, Garner, North Carolina 27529. As a North Carolina-based firm, its client base is likely concentrated in the Raleigh-Durham metro area. The small Maine count -- 2 individuals -- suggests the firm has a limited geographic footprint outside of its home state. The total affected population could range from dozens to several hundred depending on the volume of client correspondence in the compromised account, but the notification provides no basis for estimating the true scope.

The firm is offering complimentary credit monitoring through Epiq Privacy Solutions ID, which provides single-bureau monitoring. Single-bureau monitoring is the minimum offering in breach responses -- it detects new account openings reported to one credit bureau but does not provide the three-bureau coverage that identity theft situations warrant. Affected individuals should consider supplementing this with credit freezes at all three bureaus.

Regulatory Implications

As a registered investment adviser, Upstream Advisory Group operates under SEC oversight and the regulatory framework that governs client data protection at RIAs.

SEC Regulation S-P, Rule 30 requires investment advisers to adopt written policies and procedures for safeguarding customer records and information. The SEC's 2023 amendments to Regulation S-P strengthened these requirements by mandating that covered institutions develop incident response programs and notify affected individuals within 30 days of determining that a breach has occurred or is reasonably likely to have occurred. Upstream Advisory's timeline -- determination on August 19, notification on September 18 -- falls at the 30-day boundary of this requirement.

The SEC has made clear through enforcement actions and examination priorities that it expects RIAs to implement specific technical controls, including MFA on email accounts, encryption for client data in transit and at rest, and phishing awareness training. An eight-day email compromise through phishing raises direct questions about whether these controls were in place.

The jurisdictional objection in the notification letter deserves attention. Upstream Advisory's counsel explicitly stated that filing the Maine notification "does not waive Upstream Advisory's objection that Maine lacks personal jurisdiction over it regarding any claims relating to this incident." This language is unusual in breach notifications. Most firms file notifications with state AGs as a compliance obligation without contesting jurisdiction. The objection suggests the firm -- or more precisely, its legal counsel at Robinson Bradshaw -- is positioning defensively against potential enforcement or civil claims from Maine. For a firm with only 2 affected Maine residents, the strategic calculation may be that contesting jurisdiction is worth the signal it sends.

The NYDFS Cybersecurity Regulation would apply if Upstream Advisory serves New York clients or triggers NYDFS jurisdiction through other means. The 500 series requirements include mandatory 72-hour notification to NYDFS, annual risk assessments, and specific technical controls including MFA -- requirements that exceed what most small RIAs have implemented.

The Bigger Picture: RIAs as Phishing Targets

Investment advisory firms occupy a specific position in the financial sector's cybersecurity landscape: they hold extraordinarily sensitive client data but operate with security budgets and IT staffing more typical of small professional services firms. A registered investment adviser with a handful of employees and a few hundred million in assets under management faces the same threat actors that target banks with dedicated security operations centers -- but without the defensive resources.

FinSecLedger's breach tracker shows a steady stream of investment advisory firm breaches. Edelman Financial Engines disclosed a breach affecting 5,083 clients through unauthorized access. Ashton Thomas Private Wealth reported 1,644 individuals affected by email compromise. VF Wealth Management disclosed a hacking incident. The common thread is email and credential-based attacks against firms where email is the primary channel for client communication and document exchange.

The Financial Services Information Sharing and Analysis Center (FS-ISAC) has identified credential phishing and business email compromise as top threats to financial services firms, with advisory firms flagged as particularly exposed. The economics are straightforward: an attacker who compromises an advisory firm email account gains access to client SSNs, account numbers, financial plans, tax returns, and insurance policies -- data that commands premium prices on dark web markets and enables targeted financial fraud.

The SEC's examination program has responded to this pattern. OCIE risk alerts have repeatedly emphasized email security, MFA, and phishing training as baseline expectations for registered advisers. Firms that suffer phishing-related breaches without these controls in place face heightened examination scrutiny and potential enforcement action.

Action Items

For affected individuals:

1. Enroll in the credit monitoring offered. Upstream Advisory is providing single-bureau monitoring through Epiq Privacy Solutions ID. Activate it promptly using the information in your notification letter.

2. Place credit freezes at all three bureaus. Single-bureau monitoring alone is insufficient when SSNs are exposed. Contact Equifax (1-800-685-1111), Experian (1-888-397-3742), and TransUnion (1-800-888-4213) to place free security freezes. This prevents new accounts from being opened in your name.

3. Request an IRS Identity Protection PIN. With your SSN potentially exposed, apply at irs.gov/ippin to prevent fraudulent tax filings.

4. Monitor health insurance statements. Health insurance information was exposed in this breach. Review all explanation-of-benefits statements for services you did not receive. Medical identity fraud can be difficult to detect and costly to resolve.

5. Watch for targeted phishing. An attacker who knows you are a client of an investment advisory firm may use that context to craft convincing emails or phone calls referencing your financial relationship. Verify any unusual communication through a known phone number.

For registered investment advisers:

1. Enable MFA on all email accounts. This is the single most effective control against credential phishing. If your firm does not have MFA on email, you are operating below the SEC's stated expectations and creating unnecessary risk.

2. Audit email content. Determine what client data flows through email. SSNs, account numbers, tax returns, and insurance documents should be exchanged through encrypted portals, not email attachments. The email inbox should not be a client data repository.

3. Conduct phishing simulations. Annual training is insufficient. Regular simulated phishing campaigns identify employees who are vulnerable and build muscle memory for recognizing attacks.

4. Review your incident response plan. A 120-day notification timeline is legally defensible but reputationally costly. Identify the steps that consume the most time -- typically data mining of email contents -- and establish procedures to accelerate that process.