CFD Investments Data Breach Exposes SSNs, Government IDs, and More

A recent data breach at CFD Investments, Inc., a Kokomo, Indiana-based independent broker/dealer, has exposed sensitive personal and financial information of clients. Investigations determined that the unauthorized access occurred between March 15, 2025, and May 9, 2025.

The breach was first discovered on Dec. 16, 2025, after the company found that an unauthorized party gained access to an employee’s email account.

Upon review, CFD Investments found that emails and attachments within the compromised account contained personally identifiable information (PII), including names, Social Security numbers, driver’s license numbers and financial account numbers. The breach was limited to information contained in the affected employee’s email account, and there is no indication that other systems were compromised.

CFD Investments reported the breach to the California, Maine, and New Hampshire attorneys general offices on Jan. 28, 2026, and to the Massachusetts Office of Consumer Affairs and Business Regulation on Jan. 29, 2026. The company began notifying affected individuals by written letter on Jan. 28, 2026.

According to disclosures filed with regulators, the breach affected at least 10 residents in Maine, 79 in Massachusetts and eight in New Hampshire. The total number of people impacted in the United States has not been specified.

CFD Investments's response

CFD Investments took action to secure the affected email account upon discovering the breach. The company engaged a cybersecurity firm to assist with the investigation and reviewed all potentially accessed emails and attachments to determine the scope of the incident.

The company has stated it is enhancing its existing security measures to help prevent similar incidents in the future.

To support those impacted, CFD Investments is offering complimentary credit monitoring and identity theft protection services through Kroll.

Affected individuals are eligible for up to two years of free identity monitoring, which includes credit monitoring, fraud consultation and identity theft restoration. Instructions for enrolling in these services were provided in the notification letters sent to affected consumers.

Given the nature of the breach, individuals whose information may have been exposed should remain vigilant by reviewing account statements and credit reports for unauthorized activity. It is also advisable to consider placing a fraud alert or security freeze on credit files and to take advantage of the free credit monitoring services offered.