[BreachExchange] BlackRock Exposes Confidential Data on Thousands of Advisers on iShares Site

[Audrey McNeil]

https://www.bloomberg.com/news/articles/2019-01-19/blackrock-exposes-data-on-thousands-of-advisers-on-ishares-site?srnd=premium


BlackRock Inc., the world’s largest asset manager, inadvertently posted
confidential information about thousands of financial adviser clients on
its website.

The data appeared in three spreadsheets, linked on one of the New
York-based company’s web pages dedicated to its iShares exchange-traded
funds. The documents included names and email addresses of financial
advisers who buy BlackRock’s ETFs on behalf of customers. They also
appeared to show the assets under management each adviser had in the firm’s
iShares ETFs.

The links were dated Dec. 5, 2018, but it’s unclear how long they were
public. The documents were seen by Bloomberg and removed Friday. BlackRock,
which oversees assets of almost $6 trillion, is the world’s largest issuer
of ETFs.

One of the spreadsheets appears to list more than 12,000 entries of
advisers and their sales representatives at BlackRock. On another, the
advisers were categorized in a variety of ways such as “dabblers” or “power
users.” A column noted their “Club Level” including the “Patriots Club” or
“Directors Club.”

Pledging Review

“We are conducting a full review of the matter,” spokesman Brian Beades
said in a statement Friday. “The inadvertent and temporary posting of the
information relates to two distribution partners serving independent
advisers and does not include any of their underlying client information.”

Securing data is known to keep Wall Street leaders awake at night. But most
often, senior executives cite a fear of hackers, which has prompted some of
the nation’s biggest banks to pour upwards of $1 billion a year into
cybersecurity. It’s one area where financial firms set aside bitter
rivalries, sharing tips and collaborating on projects to ensure the public
remains confident in the industry -- and that it never suffers a
catastrophic loss.

But even data breaches that don’t expose client assets risk reputational
harm.

In 2014, JPMorgan Chase & Co. suffered one of the industry’s largest losses
of information, estimating at the time that hackers had accessed contact
information on more than 80 million clients. Chief Executive Officer Jamie
Dimon vowed to increase the bank’s security budget and embarked on a hiring
spree to build out those operations for what he called “a permanent
battle.” He has repeatedly updated investors on those efforts in annual
letters.

Firms can’t avoid breaches entirely, but they can react to them in a way
that rebuilds trust, said John Reed Stark, who focused on internet crimes
while working in the Securities and Exchange Commission’s enforcement
division and now runs a cybersecurity consulting business.

“Data security incidents are inevitable,” he said after the incident at
BlackRock. “The most important thing in this kind of situation is about the
response from the firm, and whether they’re communicating accurately about
what happened.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190122/91f0b33d/attachment.html>