Editor's pick: Originally published Feb. 25
The Tweet by a Vanguard Group customer went out on the morning of Feb. 11.
"Just got 77 e-mails from @Vanguard_Group detailing how much money people withdrew from their accounts along with names," he wrote. "Yay security."
The investor, who subsequently deleted the post, said he would speak with me only if I agreed not to identify him. The emails involved transactions that ranged from $3 to more than $50,000, he said.
Vanguard contacted the man the next morning to ask him to forward copies of the e-mails they had sent him.
Experts on Internet security say it's a troubling error.
"It certainly raises questions as to whether they are properly safeguarding customers' information," said John Reed Stark, a Maryland-based consultant who is former chief of the SEC's Office of Internet Enforcement.
"The SEC has made it clear that protecting customer information is a priority," Stark said. "I would think this rises to the level of a for-cause exam."
An SEC spokeswoman declined to comment.
The emails included other customers' names and the amounts of various transactions they'd made with Vanguard, including withdrawals, loan payments and rollover requests, the investor said.
He declined to forward copies of the e-mails, saying he wanted to protect the privacy of his fellow-customers. The investor agreed that TheStreet could publish a screenshot of his Twitter post if his identifying information were deleted.
Screenshot of redacted Tweet, published with permission of Twitter user
Vanguard spokeswoman Arianna Stefanoni Sherlock said the incident was "a one-time, isolated matter" and that the emails contained only names and transaction confirmation details. "Other identifying details were not included, a precaution we take for clients' protection," she said.
Sherlock said that the e-mails the customer received were "limited to 57 clients." The total number of emails sent to the investor was larger than the number of clients because some customers had made more than one transaction.
Although the Vanguard customer said in his Tweet that he'd received 77 e-mails, he recounted them later and realized the total was 72.Sherlock said Vanguard investigated the incident after seeing the Twitter posting and determined the problem "was due to a system error." She did not elaborate on the error.
Screenshot of one of Vanguard's misdirected confirmation e-mails.
A whistleblower told TheStreet last year that she had tried for several years to get Vanguard's management to pay attention to her concerns about the firm's customer account security measures. TheStreet detailed her complaints in a story on Aug. 10. She was fired 17 days later.
Among the complaints of the whistleblower, Karen Brock, was that Vanguard had used a training manual in the fall of 2014 that failed to redact all of the personal information of some customers, including names, account numbers and e-mail addresses.
Sherlock did not respond to an e-mailed query about whether Vanguard had informed those customers that their information was inadvertently included in the manual, which wasn't marked "For Internal Use Only."
In a post on Vanguard's Facebook page on Dec. 7, a woman complained that she had been receiving mail from Vanguard addressed to the previous owner of her home for 29 years. "What kind of company can't get an address correct for 29 years?" she wrote. Sherlock said the address error was the fault of the investor's plan sponsor, "but we have worked to rectify" it.
Gerard Ferguson, a founding partner of the Privacy and Data Protection Team at law firm BakerHostetler, said his firm handled 250 breach incidents on behalf of clients last year. While he has seen "a lot of misdirected email cases," Ferguson says they typically involve a single e-mail -- nothing on the order of more than 70.
"I would be concerned that it could be part of a broader problem" when 70-plus emails are sent to the wrong person, he said, adding that the incident reflects "terrible customer security."