Morningstar Inc. says it discovered an illegal intrusion into its systems that may have compromised some of its clients' personal information, including email addresses, passwords, and credit card numbers.
The Investment research provider said the breach took place around April 3.
The intrusion affected about 2,300 users whose credit card information was stored in the Morningstar Document Research system, formerly known as 10-K Wizard. An additional 182,000 clients who had email addresses and user-generated passwords in the system may have been affected, the company said in a filing with the Securities and Exchange Commission.
Morningstar said it shut down old servers and moved data to a more secure system earlier this year in a move unrelated to the incident. It maintains it has taken additional steps to prevent unauthorized access to its systems to protect client information. The company said it is also working with law enforcement officials and credit card companies, as well as investigating the incident on its own.
Morningstar sent notices to clients and reset their passwords. It is offering 12 months of free identity protection to clients whose credit cards may have been compromised.
"At this point, we don't have any evidence to suggest that any of the information that was compromised has been misused," the company said in the filing. It doesn't believe any other Morningstar products were affected.
Shares of Morningstar Inc. closed Friday unchanged at $78.07.
Explore further: Digital dilemma: How will US respond to Sony hack?