NEW YORK (TheStreet) -- The Vanguard Group, the world's largest mutual fund company, has fired a whistleblower who shared information with TheStreet about deficiencies in the company's customer account security.
According to the public database of stockbroker records kept by The Financial Industry Regulatory Authority, or FINRA, Karen Brock, a client relationship administrator in Vanguard's Scottsdale, Ariz., office, is no longer employed by Vanguard or registered as a broker.
FINRA's public records said nothing about the reason for Brock's termination. But an unredacted version of her records supplied by a state securities regulator said that she had been discharged for "violation of Vanguard's Professional Conduct Policy."
The state records said that her last day at Vanguard was Aug. 27, 2015. Brock said in an interview that she was on family medical leave when she was fired.
Asked whether and why the firm had fired Brock, Vanguard spokeswoman Arianna Stefanoni Sherlock said in an email, "I can't discuss a personnel decision." Sherlock had said in an earlier interview that the firm investigated Brock's claims and remained "confident in our security practices and our efforts to keep our clients' information and their assets safe."
"This is the way companies silence people and scare them from coming forward when things are going wrong" internally, said Brock on Friday. "This is in clear retaliation for the story coming out."
On August 10, TheStreet published an article that detailed Brock's efforts since 2013 to get her bosses to address what she considers threats to the security of Vanguard's 20 million customers.
Brock told TheStreet that Vanguard had been aware since 2013 that customers could log in to their accounts even if they entered typographical errors in their personal security answers. In my own account at Vanguard, I have repeatedly tested her assertions and found them to be true. On some occasions, I have been able to get Vanguard to generate a link to a new password even after deliberately inserting typos into three security answers. Customers still can access their accounts despite typos in security answers.
Brock also detailed to TheStreet the complaints of a customer who said that he had asked his son to mimic his voice to test Vanguard's "Voice Verification System." Vanguard's system allowed the son to gain access to the father's account, Brock said. Brock told TheStreet that the Voice Verification problem had subsequently been fixed.
Last year, at an in-house training session for Vanguard's new Personal Advisor Services money management product, Brock says she pointed out to an instructor that names, email addresses, phone numbers and account numbers of several current or prospective clients had evaded the redaction process in a 97-page manual that had not been marked "Internal Use Only." Brock provided a copy of the manual to TheStreet.
Vanguard manages $3 trillion for 20 million clients, 90% of whom access their accounts online. Brock has not been the only one complaining about Vanguard's account security. Several commenters on a popular online website called Bogleheads.org criticized Vanguard's security measures in 2012 after the firm landed on a list called the "Password Hall of Shame."
Brock said that she served 640 of Vanguard's "flagship" customers, who are high-net-worth clients with accounts of $1 million or more. In interviews this summer, Brock said that management had told her "You need to stop talking about these things because it really upsets people."
She filed whistleblower complaints with the Securities and Exchange Commission and FINRA in May 2014. FINRA told Vanguard in a May 29 letter that it had closed its examination of the case. The SEC would not comment when I asked about Brock's complaint earlier in the summer, but Brock said that several officials at the agency interviewed her for nearly two hours in January.
Gary Aguirre, a lawyer who represents whistleblowers, said that the laws concerning whistleblowers are evolving so quickly that it would be hard to guess whether Brock might have a solid retaliation case against Vanguard.
"Companies can call what a whistleblower does whatever they want to call it," he said. "The best example is when they say someone was fired because they breached a confidentiality contract." In Brock's case, Vanguard said she had violated its professional conduct rules.
If Brock was fired for talking to the media, she might have a valid retaliation case if the information she gave to TheStreet mirrored the information she gave to the SEC, Aquirre said. "Obviously, what she did is in the spirit of the whistleblower laws," he said. "Whether she comes within the letter of a particular statue or some case law is another thing."