A data leak revealed last week at BlackRock Inc. exposed names, email addresses and other information of about 20,000 advisors who are clients of the asset manager, including 12,000 at LPL Financial, the largest U.S. independent broker dealer.
“BlackRock inadvertently posted a small number of sales-related documents, which were up for a short period of time, and promptly removed,” the company said Monday in an emailed statement. “The information related to a very limited number of wealth management platforms impacting approximately 20,000 independent advisors in the U.S.”
LPL informed advisors over the weekend that BlackRock posted details about some of them on its website. The leak affected advisors who do business with BlackRock’s iShares exchange-traded funds unit.
“After being informed by BlackRock of this issue, our first priority was to reach out to our advisors to make them aware of the situation and share the details we had learned,” Jeffrey Mochal, a spokesman for LPL, said Sunday in a statement. “We will continue to stay in close communication with BlackRock as they research the incident and will share information with our advisors as it becomes available.”
BlackRock and LPL are the latest financial firms to be ensnared in a data issue affecting a key part of their business. ETF sales are crucial to BlackRock, which runs the world’s largest ETF business.
Such products account for one-third of the approximately $6 trillion in assets BlackRock oversees. Registered financial advisors who work with brokerages such as LPL are a key channel for getting ETFs into individual investor portfolios.
BlackRock didn’t identify the other platforms affected. The company said it “recognizes the seriousness of the error and we deeply regret that it occurred. We always seek to treat the information entrusted to us with great care.”
Bloomberg News reported on Friday that BlackRock accidentally released information on thousands of financial advisors on its website. The data appeared in several spreadsheets, some of which included designations such as “club level.” LPL categorizes advisors with such tiers, including a so-called “Chairman’s Club” for some top performers.
In its statement, BlackRock said the disclosures resulted from human error. “There was no security breach and no compromise of BlackRock systems,” the firm said. Sales-related information for an internal customer relationship management-related system was inadvertently posted on iShares.com, the company said.
BlackRock said it notified affected firms about the leak, and that after performing reviews of its website, the company is confident it understands the “limited scope and implications” of the issue.
“The sales related documents did not relate to any other client businesses at BlackRock,” according to the statement.
“No information about financial advisors’ end clients was included,” BlackRock said. “And no sensitive personal or financial information about advisors or anyone else was included. Additionally, there were no ticker- or portfolio-level holdings information disclosed.”
LPL serves more than 16,000 financial advisors with functions including trading and compliance. In a separate incident in November, LPL said that it was investigating a data breach at a vendor firm, Capital Forensics Inc., that put investors’ personal information at risk.
Capital Forensics confirmed at the time that the attack exposed data from a “small number” of its clients.
Keeping information secure is an increasingly important issue at financial firms, forcing them to brace against both cyber attacks and human error.
“Inadvertent exposure and loss of data is more common than we think,” Rahul Telang, a professor of information systems and management at Carnegie Mellon University, said in an interview. “A lot of time the firms spend a lot of money trying to protect data from hackers but small errors on the part of a human can have the same effect.”
Karen Barr, president and chief executive officer of the Investment Adviser Association, said any advisors concerned their information may have been disclosed should start by taking stock of what was released.
“The first step is to assess the depth and type of the information” that was available, she said. “You really put your arms around the issue and the extent of the potential damage.”