Conrad Capital Management has confirmed a data breach affecting 258 individuals after an unauthorized third party maintained access to its network for nearly four months. The intrusion, which began on November 11, 2025 and persisted until March 8, 2026, was disclosed publicly on April 15, 2026 and exposed a high-value combination of Social Security numbers, driver's license numbers, financial account numbers, and tax identification numbers.

What Happened

On April 6, 2026, Conrad Capital Management identified that an unauthorized third party had gained access to its network environment. A subsequent forensic review revealed the intrusion had begun five months earlier, on November 11, 2025, and continued undetected until March 8, 2026. The firm formally reported the incident on April 15, 2026. The identity of the attacker remains unknown, and no threat group has claimed responsibility. The dwell time of roughly 117 days places this incident well above typical detection benchmarks for financial services firms and suggests gaps in endpoint monitoring, network segmentation, or log retention.

What Was Taken

The compromised files contained personally identifiable information for 258 individuals. Exposed data types include:

While the victim count is small, the sensitivity of the stolen records is exceptionally high. This combination of identifiers constitutes a complete identity profile, sufficient to open fraudulent credit lines, file fraudulent tax returns, or impersonate victims across financial institutions.

Why It Matters

Conrad Capital Management is a wealth management firm, making its client base a target-rich environment for financially motivated threat actors. Small breach counts at boutique financial advisors often precede downstream fraud campaigns because the exposed individuals typically hold significant liquid assets. The months-long dwell time also raises the prospect that the intrusion was not purely opportunistic: prolonged access to a wealth manager's environment can enable reconnaissance for wire fraud, business email compromise against client relationships, or theft of investment account credentials beyond what is disclosed in the notification.

The Attack Technique

Conrad Capital Management has not disclosed the initial access vector, the tools used, or any indicators of compromise. No ransomware claim has been made, no extortion demand has been reported, and the threat actor remains unidentified. The extended four-month dwell window is consistent with either credential-based access through a compromised remote service or a persistent malware implant that evaded endpoint controls. Absent additional detail from the firm or its forensic provider, attribution remains open.

What Organizations Should Do

Financial advisory firms and similarly sized professional services organizations should treat this incident as a prompt to validate detection and response capabilities:

  1. Audit dwell time assumptions by reviewing log retention policies and ensuring endpoint, authentication, and network telemetry is preserved for at least 180 days.
  2. Deploy or tune an EDR solution capable of identifying lateral movement and credential theft behaviors, which are the most common activities during extended dwell periods.
  3. Enforce phishing-resistant MFA on all remote access, email, and privileged administrative accounts to close the most common initial access path.
  4. Segment file shares containing client PII and tax records, and apply strict access logging with alerts on anomalous bulk reads.
  5. Conduct a tabletop exercise simulating a months-long intrusion discovery to validate breach notification, forensic engagement, and client communication workflows.
  6. Notify affected individuals promptly and provide identity monitoring, credit freezes, and IRS IP PIN guidance to reduce downstream tax fraud risk.

Sources: Conrad Capital Management data breach exposes Social Security numbers and financial data | UpGuard