Sherlock said that the e-mails the customer received were "limited to 57 clients." The total number of emails sent to the investor was larger than the number of clients because some customers had made more than one transaction.
Although the Vanguard customer said in his Tweet that he'd received 77 e-mails, he recounted them later and realized the total was 72.Sherlock said Vanguard investigated the incident after seeing the Twitter posting and determined the problem "was due to a system error." She did not elaborate on the error.
Screenshot of one of Vanguard's misdirected confirmation e-mails.
A whistleblower told TheStreet last year that she had tried for several years to get Vanguard's management to pay attention to her concerns about the firm's customer account security measures. TheStreet detailed her complaints in a story on Aug. 10. She was fired 17 days later.
Among the complaints of the whistleblower, Karen Brock, was that Vanguard had used a training manual in the fall of 2014 that failed to redact all of the personal information of some customers, including names, account numbers and e-mail addresses.
Sherlock did not respond to an e-mailed query about whether Vanguard had informed those customers that their information was inadvertently included in the manual, which wasn't marked "For Internal Use Only."
In a post on Vanguard's Facebook page on Dec. 7, a woman complained that she had been receiving mail from Vanguard addressed to the previous owner of her home for 29 years. "What kind of company can't get an address correct for 29 years?" she wrote. Sherlock said the address error was the fault of the investor's plan sponsor, "but we have worked to rectify" it.
Gerard Ferguson, a founding partner of the Privacy and Data Protection Team at law firm BakerHostetler, said his firm handled 250 breach incidents on behalf of clients last year. While he has seen "a lot of misdirected email cases," Ferguson says they typically involve a single e-mail -- nothing on the order of more than 70.
"I would be concerned that it could be part of a broader problem" when 70-plus emails are sent to the wrong person, he said, adding that the incident reflects "terrible customer security."