Tiger Brokers Breach Exposes SSNs and Medical Data, Notifications Sent April 2026

Context Tiger Brokers, operating as US Tiger Securities, runs a virtual back‑office that supports its brokerage and the affiliated TradeUP platform. The environment stores sensitive client data for regulatory and operational purposes. In mid‑2025, the firm detected anomalous activity that triggered an internal investigation.

Key Facts - Timeline: Unauthorized actors accessed the back‑office between July 8 and July 9 2025, encrypting files and copying data. The breach was identified on July 10 2025. A full forensic review concluded on April 17 2026, after which the company began notifying impacted customers. - Scope: Exfiltrated records include full names, Social Security numbers, driver’s license numbers, other government‑issued IDs, and both medical and health‑insurance information. The breach affected the primary client database used by US Tiger Securities and TradeUP. - Attack Vector: Preliminary analysis points to exploitation of an unpatched remote desktop protocol (RDP) service, a common entry point for ransomware‑like actors. The attackers used credential‑stealing techniques (MITRE ATT&CK T1110 – Brute Force) to gain access, then deployed a file‑encryption tool (T1059 – Command‑Line Interface) to lock data before exfiltration. - Attribution: No public claim of responsibility has emerged. Indicators match known tools used by financially motivated cybercrime groups, but attribution remains inconclusive. - Financial Impact: The firm has not disclosed direct costs, but breach response, legal fees, and potential regulatory penalties are likely to exceed several million dollars.

What It Means The exposure of Social Security numbers and health data raises the risk of identity theft, fraudulent medical claims, and targeted phishing attacks. Affected individuals should monitor credit reports, consider fraud alerts, and verify any medical billing statements for unauthorized services. The breach also underscores the need for robust segmentation of high‑value data and strict access controls in fintech environments.

Mitigations – What Defenders Should Do 1. Patch RDP Services – Apply the latest security updates for Remote Desktop Protocol and enforce Network Level Authentication. 2. Enforce MFA – Deploy multi‑factor authentication for all privileged accounts to block credential‑theft attacks. 3. Network Segmentation – Isolate sensitive databases from general‑purpose workloads; use zero‑trust principles. 4. Monitor for Encryption Activity – Deploy detection signatures for file‑encryption behaviors (e.g., ATT&CK T1486 – Data Encrypted for Impact). 5. Implement Data Loss Prevention – Apply DLP rules that flag bulk export of PII (personally identifiable information) and PHI (protected health information). 6. Conduct Regular Audits – Perform quarterly reviews of access logs and privileged account usage.

Looking Ahead Watch for regulatory filings from the Texas Attorney General’s Office and potential class‑action lawsuits that could shape industry‑wide data‑protection standards.