219,000 documents exposed: US retirement firm exposes deeply personal financial records


Retirement accounts are supposed to secure US citizens' future, but one exposed cloud bucket may have just handed fraudsters thousands of people's identities.

California-based company Alta Montclair, which manages retirement plans, has exposed a massive trove of sensitive customer information.

The incident came to light after Cybernews research identified a misconfigured Amazon Web Services (AWS) cloud storage bucket that was left publicly accessible online.

ADVERTISEMENT

According to our team’s estimate, the exposed bucket contains up to 219,000 documents, including highly sensitive personal and financial information about the retirement company’s customers.

exposed_document3_redacted

What data was exposed?

The publicly accessible bucket contained documents associated with multiple retirement plans and financial services providers managed by Alta Montclair.

Among the organizations referenced in the exposed documents were:

  • Dragon Financial Services
  • PDL Financial Services
  • Retirement Education Partners (REP)
  • SPARK Institute

The leaked records included a broad range of highly sensitive information, such as:

  • Full names
  • Dates of birth
  • Social Security numbers
  • Home addresses
  • Contact information
  • Current and former employer details
  • Retirement plan documents
  • Financial records
  • Legal documents, including wills and testaments
  • In some cases, full credit card information
ADVERTISEMENT
exposed_document1_redacted

Encryption keys and internal business records also exposed

Cybernews researchers note that the bucket contained more than just customer records – they also discovered what appears to be a public and private PGP key pair associated with SPARK Institute. Such keys are commonly used to encrypt sensitive files or secure email communications.

Exposure of private encryption keys could potentially undermine the confidentiality of protected communications and file transfers.

exposed_document4_redacted
file_count_redacted

Additional files found in the bucket included:

  • Commission tracking logs, exposing detailed information about earnings generated through retirement-related financial products, including SecurePlus Elite, a product commonly offered through 403(b) and similar retirement plans
  • Customer document templates
  • User manuals
  • Internal service documentation
  • Information about sent faxes, including tracking numbers, recipient fax numbers, employee emails, subject, and, in some cases, employee phone numbers
  • Website assets, including HTML and CSS files

Some of the leaked documents date back to 2014, the year the company was founded, while others are as recent as this year.

However, our researchers caution that this does not necessarily mean the storage bucket was publicly exposed for the entire period.

ADVERTISEMENT

"The duration in which the files were accessible remains unknown," they said.

exposed_document2_redacted
private_pgp_key_redacted

Why is this data leak particularly dangerous?

The Alta Montclair leak contains records that cybercriminals could exploit for identity fraud.

“Customers of Alta Montclair are at serious risk of identity theft, financial fraud, and targeted social engineering attacks,” our researchers explained.

Social Security numbers remain one of the most valuable identifiers for fraudsters, enabling everything from fraudulent account creation to tax scams and financial identity theft.

The exposure of retirement-related records could also allow criminals to craft highly convincing phishing attacks targeting older individuals with retirement accounts. This is an extremely sensitive situation, as elderly people often are the most vulnerable to various types of scams.

Our team warns that even historical records can remain dangerous for years.

“PII of deceased people could be used for post-mortem identity theft, which is usually detected more slowly, because of incomplete cleanup of the data and because the victim cannot notice unauthorized activity.”

ADVERTISEMENT

Regulatory scrutiny

Beyond risks to affected individuals, the exposure could have significant consequences for Alta Montclair itself.

The company operates in a highly regulated industry that handles retirement and financial data subject to strict compliance requirements.

Our researchers noted that the incident could expose the company to scrutiny under the Employee Retirement Income Security Act (ERISA), which governs many retirement plan operations in the United States.

The exposure may also damage trust among partner organizations and clients that rely on Alta Montclair to manage sensitive retirement-related information.

Cybernews has contacted the company, which promptly secured the data. A comment from the company regarding the situation is yet to be received.

Disclosure timeline:

Leak discovered: May 8th, 2026

Initial disclosure: May 15th, 2026

Data secured: May 18th, 2026

ADVERTISEMENT


Unlock more exclusive Cybernews content on YouTube: