KerberRose Wealth Management Breach Post Mortem: One Inbox, 27,000 People

A single compromised email account at a wealth management firm reached a backup platform holding clients’ Social Security numbers and bank details. Here is how it happened — and what amended Regulation S-P now expects from you.

Bottom line up front: An attacker took over one employee mailbox at KerberRose Wealth Management — itself an SEC-registered investment adviser. That single mailbox compromise resulted in limited access to part of a backup platform that held bulk client data. Public breach reporting puts the count at roughly 27,076 people, exposing names, addresses, Social Security numbers, financial account numbers, bank account information, and dates of birth. The firm found out two days later and notified within 28 days. For an SEC-registered RIA, this is not an analogy — it is the exact scenario amended Regulation S-P now governs. The lessons are about identity, segmentation, and backup access — not exotic malware.

What happened

KerberRose is a Wisconsin accounting firm whose wealth management arm suffered the breach. The mechanics are unremarkable, and that is the point — nothing here required a sophisticated adversary.

  1. April 29, 2026 — account takeover. An unauthorized third party gained access to a single KerberRose employee’s email account.
  2. The mailbox compromise reached the backup. That one compromised mailbox resulted in limited access to a portion of a backup platform used to operate the firm’s wealth management business — the place where bulk client data lived. The public notice does not spell out the exact technical path from the mailbox to that backup.
  3. May 1, 2026 — discovery. KerberRose became aware of the intrusion two days after it began.
  4. The investigation scoped the exposure. Names, addresses, Social Security numbers, financial account numbers, bank account information, and dates of birth for roughly 27,076 people — wealth management customers, plus applicants for and participants in retirement plans the firm services.
  5. May 29, 2026 — notification. KerberRose notified affected individuals by phone and by letter, and offered two years of credit monitoring and identity protection.

That is 28 days between discovery and notice — which lands just inside the new 30-day window that amended Regulation S-P now imposes. A firm without a written, rehearsed plan does not hit that mark by improvising.

Why this one matters to RIAs

No nation-state. No zero-day. No ransomware. One inbox, followed by access to a backup platform holding concentrated client data. The public notice does not explain the exact technical path from the mailbox to the backup — but the compliance lesson is clear: a mailbox compromise should not be able to become a bulk-data event. The entry point was a normal user identity. The damage came from what that identity could reach.

The exposed data — Social Security numbers, bank account information, dates of birth — is the raw material of identity theft and account fraud, and it drives that fraud against clients for years, not weeks. The uncomfortable part for any adviser reading this: a firm does not need to be careless to end up here. It needs only a few common controls left at their default.

The failure modes this pattern exposes — and how to close them

Public reporting does not establish the exact technical pathway from the mailbox to the backup platform, and the four items below are not findings about KerberRose’s internal controls, which the firm has not published. They are the failure modes this incident pattern exposes — the same gaps MTradecraft tests for as standard scope in a cyber risk and threat-detection review. For each, the remediation and an example of the policy-and-procedure language that closes it.

1. Account takeover of a single mailbox

Why it matters. One stolen or phished credential should never be enough to start a reportable breach. When it is, the firm has built its security on a single point of failure that every employee carries in their pocket.

Remediation. Enforce phishing-resistant MFA for every human user — no executive exceptions, and a documented compensating control for any service account where user MFA cannot technically apply. Disable legacy authentication in Microsoft 365, which is the usual path around MFA. Enable Conditional Access for risky sign-ins and impossible-travel patterns. And treat MFA bypass requests as security events, not help-desk conveniences.

The Firm requires multifactor authentication on all accounts that access Firm systems or customer information. The Firm disables legacy authentication protocols and applies Conditional Access policies that block or challenge anomalous sign-in activity. Exceptions are prohibited absent written approval by the Firm and a documented compensating control.

2. One identity reached the backup repository

Why it matters. A backup is a concentrated copy of everything. If a standard user identity can reach it, then a single account takeover is no longer a mailbox incident — it is a bulk-data incident. That is precisely the escalation that turned one KerberRose inbox into 27,076 notifications.

Remediation. Isolate backup systems behind separate identities and separate administrative credentials. Apply least privilege so no standard user role can read or restore backups. Encrypt customer data at rest. Put backup access behind its own MFA, and log every access event so reaching the backup is itself a detectable act.

Backup systems containing customer information are segmented from production user environments and are accessible only through dedicated administrative accounts protected by multifactor authentication. Customer information is encrypted at rest. The Firm logs and reviews all access to backup repositories and alerts on access by non-administrative identities.

3. The backup held more data than it needed to

Why it matters. You cannot lose what you do not keep. Every Social Security number and bank account number retained outside a system of record should have a documented business, operational, or regulatory reason for being there; the copies that do not are exposure with no offsetting value — and amended Reg S-P now extends the safeguarding and disposal obligations to customer information wherever it sits, backups included.

Remediation. Map where customer information lives across mailboxes, file stores, custodial platforms, and backups. Set and enforce retention and disposal schedules. Minimize the sensitive fields kept outside the systems of record, so a copy that gets breached carries less.

The Firm maintains a data inventory identifying where customer information resides, including backups and service-provider systems. Customer information is retained only as long as required for business or regulatory purposes and is disposed of by secure methods on a defined schedule.

4. Detection depended on noticing, not on alerting

Why it matters. Two days passed before anyone knew. A backup read by an account that has never touched a backup before should generate an alert, not wait to be spotted. The notification clock — and the harm to clients — runs the whole time the firm is unaware.

Remediation. Enable and retain unified audit logging in Microsoft 365. Configure alert policies for suspicious inbox rules, mass downloads, foreign sign-ins, and new MFA registrations. Route those alerts to a monitored channel with a named owner — and test that they actually fire.

The Firm enables and retains audit logging across its production systems and configures automated alerts for indicators of account compromise. Alerts are routed to a designated responder and are validated through periodic testing.

Mapping the incident to amended Reg S-P

Read against the amended rule, each piece of this breach maps to a requirement now in force.

Requirement What the breach shows
Incident response program Written procedures to detect, respond, and recover. Reaching notice in 28 days is only possible with a real plan in place before the incident, not assembled after it.
30-day customer notice Due as soon as practicable and no later than 30 days after the firm becomes aware that unauthorized access to or use of sensitive customer information has occurred or is reasonably likely to have occurred — not when every forensic question has been answered. Define in advance who is authorized to trigger it.
Service-provider oversight Your written vendor-oversight procedures must be reasonably designed to ensure providers protect customer information and notify the firm as soon as possible — and no later than 72 hours — after becoming aware of a breach involving unauthorized access to a customer-information system they maintain. Contracts or written assurances are the cleanest evidence of that obligation. A hosted backup platform is squarely in scope.
Safeguards and disposal Extended to customer information wherever it is held or maintained — including backups and the copies that live outside your primary systems.
Recordkeeping Retain records of the investigation, the notification decision and its reasoning, and your vendor oversight — consistent with the books-and-records obligations Rule 204-2(a)(25) adds for advisers, which reach the safeguards and disposal policies, records of detected unauthorized access, the response and notification determinations and their basis, and service-provider oversight records and agreements.

Do this in the next 30 days

  • Confirm phishing-resistant MFA is enforced for all human users — including executives and administrators — and legacy authentication is disabled. Disable direct sign-in for shared mailboxes (reach them through delegated accounts), and inventory service accounts and service principals, replacing them with managed identities where feasible and documenting compensating controls where MFA cannot apply.
  • Identify every place customer information lives, then verify that no standard user identity can reach your backups.
  • Confirm customer data is encrypted at rest in your backups, and that backup access is logged and alerted.
  • Define the internal trigger for the 30-day notification clock. Name the person. Document the threshold.
  • Confirm your vendor-oversight procedures — and the underlying contracts or written assurances — obligate providers to notify you within 72 hours of a breach, and fix the ones that are silent.
  • Run a tabletop exercise against this exact scenario: one compromised mailbox that reaches stored client data.
  • Confirm your incident, notification, and vendor-oversight records are retained in line with your books-and-records obligations.

Most of these are configuration, evidence, and governance work rather than major platform replacements — and all of them are easier to defend before an incident than after one. The firms that treat June 3 as a starting line rather than a finish line are the ones that will not be writing one of these letters next spring.


A backup-access and identity review mapped to amended Regulation S-P is the kind of evidence a firm should be able to put in front of an examiner: the risk assessment performed, the threat-detection review run, and remediation language ready to drop into the manual — each finding mapped to the controlling rule. It is core MTradecraft scope, and it is easier to have in hand before an incident than to assemble after one.

Book a call →

Brian Hahn, MTradecraft LLC — brian@mtradecraft.com · 210-201-2102 · www.mtradecraft.com · Dallas, TX.


For member education. Not legal advice, and does not create an advisory or attorney-client relationship. Facts drawn from KerberRose’s public consumer notification and its state attorney-general filings as reported in June 2026. The control discussion describes the failure modes this attack pattern exploits and does not assert specific findings about KerberRose’s internal controls, which the firm has not published. Confirm your own obligations with qualified counsel.

Keep Reading

More on this topic: Cybersecurity Regulations Reference →