VF Wealth Management Breach Exposes Client SSNs and Financial Data

VF Wealth Management Confirms Hackers Copied Client Data From Network

VF Wealth Management Inc., a registered investment adviser based in Davie, Florida, disclosed a data breach on January 14, 2026, after an unauthorized person gained access to and copied information from the firm's network. The filing with the Maine Attorney General confirms that the compromised data includes names, Social Security numbers, and financial account information -- a combination that is particularly dangerous for clients of a wealth management firm.

The breach occurred on July 30, 2025, but the firm's review of the incident was not completed until January 5, 2026. That 159-day gap between the initial intrusion and the completion of the investigation is significant, especially for a firm that serves high-net-worth clients whose financial profiles make them prime targets for fraud and identity theft.

VFWM is a small RIA led by Gregory Vitale, a CPA and Certified Financial Planner, and Peter Franklin, an Enrolled Agent and financial advisor, operating from a single office at 5240 South University Drive, Suite 106, Davie, FL 33328. The firm provides financial planning, tax preparation, and portfolio management services -- the kind of practice where a relatively small client roster translates to deep, detailed financial records for each individual.

The notification language is specific: the unauthorized person did not merely access the data but copied it. That distinction matters. This was not a failed intrusion or a brief unauthorized view. Data was exfiltrated from the network, meaning client information is now in the hands of an unknown third party.

Timeline of Events

The breach notification establishes the following sequence:

• July 30, 2025: An unauthorized person gained access to and copied information from VFWM's network.
• July 30, 2025 -- January 5, 2026: The firm conducted a review to determine what information was involved and which individuals were affected. This 159-day review period consumed over five months.
• January 5, 2026: The data review was completed, identifying the specific personal information accessed and the individuals affected.
• January 14, 2026: VFWM filed breach notifications with the Maine Attorney General and began mailing notification letters to affected individuals.

The nine-day turnaround between completing the review and notifying consumers is reasonable. The 159-day gap between the incident itself and the completion of the data review is the critical number. For a small firm with a limited client base, the scope of data to review should be proportionally small. A five-month review period raises questions about when VFWM first became aware of the intrusion and what investigative resources were available to the firm. It is unclear from the filing whether the intrusion was detected on July 30 and the forensic analysis simply took months to complete, or whether the breach went undetected for a period before being discovered.

The notification letter states that the delay in notification was not the result of a law enforcement investigation. The filing also includes a notable legal caveat: VFWM explicitly reserves "any rights or defenses regarding the applicability of Maine law" -- a defensive posture that suggests the firm's legal counsel anticipates potential regulatory or legal challenges.

What Data Was Exposed

The notification confirms that the following categories of personal information were compromised, with the specific elements varying by individual:

• Full name
• Social Security number
• Financial account information

For clients of a wealth management firm, this combination is exceptionally high-risk. Financial account information at an RIA does not mean a credit card number that can be cancelled and reissued. It means brokerage account numbers, bank account details used for fund transfers, and potentially custodial account identifiers -- the kind of information that enables wire fraud, unauthorized account transfers, and the opening of fraudulent accounts at other institutions.

Paired with Social Security numbers, this data gives an attacker everything needed to impersonate a client. An attacker armed with a client's SSN, account numbers, and name can call a custodian, pass verification checks, and initiate transactions. Wealth management clients are disproportionately valuable targets: they tend to have higher account balances, more complex financial arrangements, and may be less likely to immediately notice a fraudulent transaction among normal portfolio activity.

The notification does not specify whether the exposed financial account information included investment holdings, asset allocations, or tax-related records. Given that VFWM provides both financial planning and tax preparation services, the firm likely maintained detailed financial profiles that could include tax returns, W-2s, 1099s, and comprehensive net worth statements.

How the Attack Happened

The Maine AG filing classifies the incident as "hacking" and states that an unauthorized person "gained access to and copied information" from the network. VFWM has not disclosed the specific attack vector, whether a particular vulnerability was exploited, or whether the intrusion involved compromised credentials, a phishing attack, or an unpatched system.

The fact that data was copied -- not encrypted or held for ransom -- suggests this was not a ransomware attack. The attacker accessed the network, located files containing client data, and exfiltrated them. This pattern is consistent with either a targeted intrusion by an actor interested in the data itself, or an opportunistic compromise where the attacker harvested whatever was accessible before moving on.

Small RIAs like VFWM face a structural cybersecurity disadvantage. A two-person advisory firm does not have a chief information security officer, a security operations center, or a dedicated IT security team. Network security is often managed by a local managed service provider or, in some cases, by the firm's own staff. Endpoint detection, network segmentation, encryption at rest, and security monitoring -- the controls that would detect or prevent this kind of intrusion -- are often absent or minimally configured at firms of this size.

This is not a unique vulnerability. The investment advisory sector has seen a cluster of similar incidents in early 2026. Edelman Financial Engines disclosed an unauthorized access incident affecting 5,083 clients, and Ameriprise Financial Services reported a phishing-related breach affecting 598 individuals. The common thread is unauthorized access to networks or systems containing client PII and financial data.

Who Is Affected

The total number of affected individuals is small by breach-tracker standards. The Maine AG filing lists 2 Maine residents as affected, and the notification letter references provisions for Rhode Island residents (17 mentioned). The total population is likely in the range of a few dozen to low hundreds, consistent with the client base of a small, two-advisor wealth management practice.

But the small number is misleading in terms of actual risk. Wealth management clients are, by definition, individuals with significant investable assets. A breach affecting 50 high-net-worth clients could represent tens or hundreds of millions of dollars in assets under management, with each individual facing outsized risk from identity theft, account takeover, and targeted social engineering.

The notification letter offers 24 months of Experian IdentityWorks credit monitoring to affected individuals. While credit monitoring is a standard remediation offering, it does not protect against wire fraud, account takeover at custodians, or the misuse of financial account information that has already been exfiltrated.

Regulatory and Legal Implications

As a registered investment adviser, VF Wealth Management operates under a regulatory framework that imposes specific cybersecurity obligations beyond standard state breach notification laws.

SEC Regulation S-P (17 CFR 248.30) requires every registered investment adviser to adopt written policies and procedures reasonably designed to protect customer records and information. The SEC's 2023 amendments to Regulation S-P strengthened these requirements, mandating that covered institutions develop incident response programs and notify affected individuals within 30 days of becoming aware that unauthorized access to customer information has occurred or is reasonably likely to have occurred. VFWM's nine-day notification gap after completing its review appears compliant, but the five-month review period itself could draw scrutiny from examiners who may question whether the firm's incident response program was adequate.

Regulation S-ID (the Identity Theft Red Flags Rule) requires financial institutions and creditors, including certain investment advisers, to implement programs that detect, prevent, and mitigate identity theft. Given that the compromised data includes SSNs and financial account information, the SEC may examine whether VFWM had a functioning red flags program and whether it was sufficient to detect the warning signs of the intrusion.

FINRA Rule 4370 requires broker-dealers to maintain business continuity plans, and while VFWM may operate solely as an RIA rather than a broker-dealer, the Financial Industry Regulatory Authority (FINRA) has issued extensive cybersecurity guidance that applies to the broader securities industry. FINRA's examination program increasingly evaluates firms' ability to protect client information, detect intrusions, and respond to incidents.

State notification obligations add another layer. The firm filed in Maine, referenced Rhode Island, and its Florida location subjects it to the Florida Information Protection Act (FIPA), which requires notification within 30 days of determining a breach has occurred. The firm's reservation of rights regarding Maine law's applicability signals that its legal team is prepared for jurisdictional challenges.

For a small firm, the regulatory consequences of a breach can be disproportionately severe. SEC enforcement actions and FINRA sanctions are public, and a cybersecurity-related action against a small RIA can effectively destroy client confidence in the practice.

The Bigger Picture

The VF Wealth Management breach fits a pattern that our breach tracker has been documenting since the start of 2026: small and mid-sized investment advisory firms are being compromised at an accelerating rate. The investment advisory sector is structurally vulnerable because it combines high-value data with, in many cases, minimal security infrastructure.

Large RIAs like Edelman Financial Engines, with $300 billion in assets under management, have the resources to deploy enterprise-grade security tools and staff dedicated security teams. Small firms like VFWM, managing portfolios for a few hundred clients, operate on margins that do not support the same investment in cybersecurity. Yet both types of firms hold the same categories of sensitive data: SSNs, financial account numbers, tax records, and detailed wealth profiles.

The SEC has recognized this gap. In its 2026 examination priorities, the Division of Examinations flagged information security at investment advisers as a focus area, with particular attention to smaller firms that may lack the resources to implement controls proportionate to the sensitivity of the data they hold. The FS-ISAC (Financial Services Information Sharing and Analysis Center) has similarly warned that threat actors are increasingly targeting smaller financial services firms, which are perceived as softer targets than major banks and brokerages.

The FBI's Internet Crime Complaint Center (IC3) has documented a sustained increase in business email compromise, wire fraud, and account takeover attacks directed at the financial services sector. Small advisory firms are particularly exposed to these threats because a single compromised email account or network share can provide access to the entirety of the firm's client data.

The industry needs a structural response. Industry groups, broker-dealer affiliates, and custodians could play a role by providing subsidized security tools, shared threat intelligence, and standardized security baselines for small RIAs. Until that happens, clients of small advisory firms bear a residual risk that no amount of fiduciary duty language can fully mitigate.

What Affected Clients Should Do

If you received a notification letter from VF Wealth Management, take these steps immediately:

1. Enroll in Experian IdentityWorks. VFWM is offering 24 months of credit monitoring through Experian. Activate this service before the enrollment deadline in your letter. The service includes credit monitoring, dark web surveillance, and identity restoration assistance.

2. Place a credit freeze with all three bureaus. Contact Equifax (1-800-685-1111), Experian (1-888-397-3742), and TransUnion (1-800-888-4213) to place free security freezes. A freeze prevents anyone from opening new credit accounts in your name.

3. Contact your custodian directly. If VFWM manages your investments through a custodian such as Schwab, Fidelity, or Pershing, call the custodian and verify that no unauthorized changes have been made to your account, beneficiary designations, or linked bank accounts. Request that verbal authorization passwords or additional verification steps be added to your account.

4. File an IRS Identity Protection PIN request. If your SSN was compromised, apply for an IP PIN at irs.gov/ippin to prevent fraudulent tax filings using your Social Security number.

5. Monitor for targeted phishing and social engineering. An attacker who has your name, SSN, and financial account details can craft convincing communications that reference your actual accounts. Treat any unsolicited phone call, email, or letter about your investments with extreme skepticism, even if it appears to come from your adviser or custodian. Verify by calling a known number.

6. Review your accounts for unauthorized activity. Check all bank accounts, brokerage accounts, and credit lines associated with VFWM or the financial accounts referenced in your notification letter. Report any unauthorized transactions immediately.

7. File a report with the FTC. If you discover any misuse of your information, file a report at identitytheft.gov to create an official recovery plan and document the incident.

8. Keep records. Retain copies of the notification letter, your credit monitoring enrollment confirmation, and any communications with VFWM or its custodians. These records may be relevant if regulatory action, arbitration, or litigation follows.