First indications of the breach came with letters to customers last month; one of which was uploaded to the Office of Inadequate Security (OIS) website on 18 June. "I am writing to make you aware that some of your personal information, including your name, address, email address, and password, may have been compromised because of an illegal intrusion into the Morningstar Document Research (formerly 10-K Wizard) system," says the letter.
The breach apparently occurred around 3 April 2012. "Earlier this year, we shut down the old servers and moved the data to a more secure infrastructure as part of a migration plan unrelated to this issue." The letter does not say whether it was this migration process that led to the discovery of the breach. And apart from saying that "we have reset all passwords for Morningstar Document Research," it says nothing further about the breach itself.
A few more details came to light with Morningstar's 8K security filing on 5 July. "The intrusion affected about 2,300 users whose credit card information was stored in the Morningstar Document Research (MDR) system. An additional 182,000 clients who had email addresses and user-generated passwords in the system may have been affected."
This was the first point at which the traditional media became aware of the breach. Reuters reported on Saturday, "Morningstar spokeswoman Margaret Cohen said the company became aware of the breach in late May and began informing clients in June. The matter became public on Friday when Morningstar released its 8K filing, which it does on the first Friday of every month."
Associated Press reported Friday, "At this point, we don't have any evidence to suggest that any of the information that was compromised has been misused," the company said in the filing. It doesn't believe any other Morningstar products were affected.
However, the scarcity of information released by Morningstar concerns the Office of Inadequate Security, and it is clear that the company is releasing as little as possible. "It’s not clear to me why I haven’t seen this breach on any of the state websites that disclose breach reports. In response to an inquiry from this site as to which states were notified, Morningstar spokesperson Margaret Kirch Cohen would only say that the firm 'notified the authorities as required',” notes OIS.
The reality is that without a federal law on breach notification there is no uniform US requirement. Chester Wisniewski, in an unrelated blog posting on Naked Security this morning notes that "some US states strengthen data breach notification laws, others ignore them." On Google+ (publicly shared) he commented, "Maybe it is time for the US to nationalize data breach notification laws. This patchwork of 'Hey you live in Michigan, you're screwed, but you might never know. Oh you live in North Dakota, you will at least find out when you're screwed' has got to stop."