Major Data Breach at an M&A Target of BNY Mellon

MBIA, the municipal bond insurance giant, suffered a major customer data breach that exposed customer data of an asset-management subsidiary that Bank of New York Mellon has agreed to buy.

Clients' information "may have been illegally accessed," Kevin Brown, a spokesman for MBIA, said Tuesday afternoon. "We are conducting a thorough investigation and will take all measures necessary to protect our customers' data, secure our systems, and preserve evidence for law enforcement."

The breach was first reported Tuesday by the tech security blogger Brian Krebs. An independent security expert, Bryan Seely, reportedly found the data leak by chance after conducting a Google search. The report server hosting account statements containing account and routing numbers, balances, dividends and account holder names for several large asset management pools had apparently been misconfigured in a way that made the information public. The server was disabled Monday, after Krebs notified MBIA.

The customers most exposed appear to be municipal investment pools from Texas, Louisiana, New Hampshire, and Connecticut. The accounts were managed through MBIA's subsidiary, Cutwater Asset Management, which oversees $23 billion in assets. BNY Mellon announced only Monday it had agreed to buy Cutwater for undisclosed terms.

A spokesman for BNY Mellon would not discuss the breach, referring a reporter to MBIA.

The data breach is the latest setback for MBIA, the nation's largest bond insurer, which has been buffeted by Detroit's bankruptcy, Puerto Rico's ongoing credit problems, and an overall slump in revenue. MBIA's stock hit a 52-week low of $8.87 per share last week, which it approached again Tuesday, reaching a low of $8.96 before ending the day at $9.16.