Notification of a data incident


Intuit Mailchimp, an email provider used by Flourish, recently experienced an unauthorized access incident impacting Flourish data. 

August 25, 2022

Earlier this week, Flourish received a communication from Intuit Mailchimp, one of our email service providers, indicating that our account data had been accessed by an unknown third party.

This incident occurred entirely on the Intuit Mailchimp systems. Intuit Mailchimp has stated that 214 of their corporate clients were impacted as a result of a phishing attack on an Intuit Mailchimp employee.

Flourish’s internal systems and client funds are secure and were not impacted. The purpose of this post is to outline the facts of the incident and encourage our clients to continue to be vigilant to avoid becoming targets of phishing attacks.

Flourish takes security very seriously. We recently completed our SOC 2 Type 1 audit with KPMG, and we consider risk and security in every activity, including vendor selection. However, no systems are invulnerable, so we also strive for a rapid response and maximum transparency in handling the situation.

To that end, we would like to share:

  1. The timeline of events that transpired, as we understand it
  2. Our estimate of the impact
  3. Our response and handling
  4. Our recommended actions for those impacted by the breach

1. Timeline of events:

August 7, 2022: 

August 8, 2022:

  • Intuit Mailchimp discovers the unauthorized access to Flourish’s account and suspends Flourish’s account due to suspicious activity; however, Intuit Mailchimp does not disclose the unauthorized access to Flourish.
    Intuit Mailchimp informs Flourish that our account has been disabled due to a “terms of service violation” with no mention of a potential security breach.

August 9, 2022

  • Flourish reaches out to Intuit Mailchimp via email and phone to clarify what happened. Flourish receives no actionable response.
  • Flourish begins switching to a backup email provider.

August 10, 2022:

  • Intuit Mailchimp emails Flourish saying there may have been “possible unauthorized access” on our account. Flourish immediately responds requesting confirmation and more details. There is no response from Intuit Mailchimp.
August 22, 2022:
  • Intuit Mailchimp emails Flourish with instructions on how to restore access to our account and recommends that we check for specific patterns of suspicious activity. Upon regaining access, Flourish discovers the unauthorized activity from August 7, 2022. This is the first point at which Flourish has actionable communication from Intuit Mailchimp.
  • Flourish immediately initiates its incident response plan, including investigating recent activity for signs of attempted unauthorized logins or activity on client accounts - no sign of attempted access to client accounts is found.
  • Flourish emails Intuit Mailchimp requesting further details on the unauthorized access and confirmation that customer information was accessed.
  • Flourish has received no further communication from Intuit Mailchimp as of Wednesday, August 24, 2022.

2. Impact of the breach:

Flourish stores the minimum possible data with Intuit Mailchimp in order to run our email campaigns, which is why no account information, financial identifiers, balance information or credentials were exposed. With that said, the first name, last name, email address, and associated advisory firm name of our clients were exposed.

At this time, there is no evidence of any attempts to use this information to gain access to Flourish or other accounts. We have not detected any unusual login, password change, or phishing attempts.

3. Our response:

Upon notification of the incident, Flourish took immediate steps to respond. Those included moving to a backup provider, putting our security team on high alert and checking for possible signs of attempted unauthorized access, and promptly notifying clients and advisors. Our attempts to complete this process have been hampered by a lack of timely information and response from Intuit Mailchimp.

We are continuing to closely monitor our systems as well as using third-party threat intelligence providers to monitor for any suspicious activity.

4. Our recommendations for those impacted:

We would like to remind everyone that multi-factor authentication and strong passwords, as well as vigilance against social engineering and phishing attacks, are the best ways to protect yourself from digital fraud. Flourish requires both multi-factor authentication and strong passwords for all clients; we further recommend clients take similar measures on their other accounts, including their email accounts.

No passwords were compromised in this incident, so if you already use a unique, strong password, there is no need to change it.

Given that the names of associated advisory firms were included in the exposed data, please continue to be cautious about revealing information to unknown individuals claiming to be associated with your advisory firm. Immediately report any suspicious attempts to gain access to your accounts.

If you have any additional questions, please do not hesitate to contact our NYC-based support team.

Thank you for your continued support and vigilance.

Josh Owen
Chief Technology Officer