Editor's pick: Originally published Feb. 25
The Tweet by a Vanguard Group customer went out on the morning of Feb. 11.
"Just got 77 e-mails from @Vanguard_Group detailing how much money people withdrew from their accounts along with names," he wrote. "Yay security."
The investor, who subsequently deleted the post, said he would speak with me only if I agreed not to identify him. The emails involved transactions that ranged from $3 to more than $50,000, he said.
Vanguard contacted the man the next morning to ask him to forward copies of the e-mails they had sent him.
Experts on Internet security say it's a troubling error.
"It certainly raises questions as to whether they are properly safeguarding customers' information," said John Reed Stark, a Maryland-based consultant who is former chief of the SEC's Office of Internet Enforcement.
"The SEC has made it clear that protecting customer information is a priority," Stark said. "I would think this rises to the level of a for-cause exam."
An SEC spokeswoman declined to comment.
The emails included other customers' names and the amounts of various transactions they'd made with Vanguard, including withdrawals, loan payments and rollover requests, the investor said.
He declined to forward copies of the e-mails, saying he wanted to protect the privacy of his fellow-customers. The investor agreed that TheStreet could publish a screenshot of his Twitter post if his identifying information were deleted.
Screenshot of redacted Tweet, published with permission of Twitter user
Vanguard spokeswoman Arianna Stefanoni Sherlock said the incident was "a one-time, isolated matter" and that the emails contained only names and transaction confirmation details. "Other identifying details were not included, a precaution we take for clients' protection," she said.