The California Office of the Attorney General disclosed a data breach affecting SharesPost, Inc. in December 2019. Between September 6 and September 18, 2019, an unauthorized party gained access to an employee’s email account, potentially exposing sensitive personal information. The compromised data included names, addresses, dates of birth, Social Security numbers, and bank account details. While there was no direct evidence confirming the data was accessed or misused, the exposure posed significant risks, including identity theft, financial fraud, and reputational harm. The breach stemmed from a likely phishing or credential compromise attack, highlighting vulnerabilities in email security protocols. Given the nature of the exposed data particularly financial and personally identifiable information (PII) the incident raised concerns over compliance with data protection regulations and the company’s ability to safeguard customer and employee information.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-185464
TPRM report: https://www.rankiteo.com/company/sharespost
"id": "sha021091825",
"linkid": "sharespost",
"type": "Breach",
"date": "9/2019",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Financial Services / Private Market '
'Investments',
'location': 'California, USA',
'name': 'SharesPost, Inc.',
'type': 'Private Company'}],
'attack_vector': 'Compromised Employee Email Account',
'data_breach': {'data_exfiltration': 'Potential (no direct evidence)',
'file_types_exposed': ['Emails (likely containing attached or '
'embedded PII/financial data)'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes SSNs and bank account '
'details)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Data']},
'date_detected': '2019-09-18',
'date_publicly_disclosed': '2019-12-27',
'description': 'The California Office of the Attorney General reported a data '
'breach involving SharesPost, Inc. on December 27, 2019. The '
'breach occurred from September 6 to September 18, 2019, when '
'an unauthorized party accessed an employee email account. The '
'breach potentially exposed personal information such as '
'names, addresses, dates of birth, social security numbers, '
'and bank account information, although there is no direct '
'evidence that the data was accessed.',
'impact': {'data_compromised': ['Names',
'Addresses',
'Dates of Birth',
'Social Security Numbers',
'Bank Account Information'],
'identity_theft_risk': 'Potential (no direct evidence of data '
'access)',
'payment_information_risk': 'Potential (bank account information '
'exposed)',
'systems_affected': ['Employee Email Account']},
'initial_access_broker': {'entry_point': 'Employee Email Account'},
'investigation_status': 'Disclosed; no evidence of data access confirmed',
'post_incident_analysis': {'root_causes': ['Compromised employee credentials '
'(likely phishing or credential '
'stuffing)']},
'references': [{'date_accessed': '2019-12-27',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['California Data Breach '
'Notification Law '
'(likely)'],
'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'response': {'communication_strategy': 'Public disclosure via California '
'Office of the Attorney General'},
'threat_actor': 'Unauthorized Party',
'title': 'SharesPost, Inc. Data Breach (2019)',
'type': 'Data Breach'}