BlackRock Exposes Confidential Data on Thousands of Advisers on iShares Site

BlackRock Inc., the world’s largest asset manager, inadvertently posted confidential information about thousands of financial adviser clients on its website.

The data appeared in three spreadsheets, linked on one of the New York-based company’s web pages dedicated to its iShares exchange-traded funds. The documents included names and email addresses of financial advisers who buy BlackRock’s ETFs on behalf of customers. They also appeared to show the assets under management each adviser had in the firm’s iShares ETFs.

The links were dated Dec. 5, 2018, but it’s unclear how long they were public. The documents were seen by Bloomberg and removed Friday. BlackRock, which oversees assets of almost $6 trillion, is the world’s largest issuer of ETFs.

One of the spreadsheets appears to list more than 12,000 entries of advisers and their sales representatives at BlackRock. On another, the advisers were categorized in a variety of ways such as “dabblers” or “power users.” A column noted their “Club Level” including the “Patriots Club” or “Directors Club.”

Pledging Review

“We are conducting a full review of the matter,” spokesman Brian Beades said in a statement Friday. “The inadvertent and temporary posting of the information relates to two distribution partners serving independent advisers and does not include any of their underlying client information.”

Securing data is known to keep Wall Street leaders awake at night. But most often, senior executives cite a fear of hackers, which has prompted some of the nation’s biggest banks to pour upwards of $1 billion a year into cybersecurity. It’s one area where financial firms set aside bitter rivalries, sharing tips and collaborating on projects to ensure the public remains confident in the industry -- and that it never suffers a catastrophic loss.

But even data breaches that don’t expose client assets risk reputational harm.

In 2014, JPMorgan Chase & Co. suffered one of the industry’s largest losses of information, estimating at the time that hackers had accessed contact information on more than 80 million clients. Chief Executive Officer Jamie Dimon vowed to increase the bank’s security budget and embarked on a hiring spree to build out those operations for what he called “a permanent battle.” He has repeatedly updated investors on those efforts in annual letters.

Firms can’t avoid breaches entirely, but they can react to them in a way that rebuilds trust, said John Reed Stark, who focused on internet crimes while working in the Securities and Exchange Commission’s enforcement division and now runs a cybersecurity consulting business.

“Data security incidents are inevitable,” he said after the incident at BlackRock. “The most important thing in this kind of situation is about the response from the firm, and whether they’re communicating accurately about what happened.”