BlackRock data leak highlights the human side of cybersecurity
BlackRock Inc. made headlines over the weekend with a series of stories that it accidentally exposed confidential information involving about 20,000 financial advisers. In particular, data involving advisers with LPL Financial, Envestnet and Axa Equitable leaked onto BlackRock's iShares website.
The story comes during a time of heightened sensitivity to data and cybersecurity issues across the financial services industry, and some advisers worried what it meant for them. BlackRock is the largest asset manager in the world. If a firm with those resources can't protect information, what chance does the small, independent adviser have?
"Every one of these events are potentially another chink in the armor of a system that needs to get sorted out," said Robert Miller, CEO of data aggregation firm Private Client Resources. "Fundamental changes to the system need to be in place."
The good news is the BlackRock data breach was not the result of a malicious hacker trying to gain access to information. This time, the breach was due to good old-fashioned human error, with someone at BlackRock accidentally posting spreadsheets of sales information to a public part of the website.
What's good is that the spreadsheets don't appear to include much information that isn't already publicly available on BrokerCheck or included in Form ADVs. The data is pretty standard stuff for what sales teams put into customer relationship management software — names, email addresses, the amount of assets the adviser has in iShares ETFs and names of BlackRock sales reps they work with.
One spreadsheet categorized advisers by how much BlackRock product they use — with smaller clients labeled as "dabblers" and bigger clients being called "power users" — which could lead to some awkward conversations in the future. But at least it wasn't personally identifiable information like social security numbers, account information, or passwords.
The spreadsheets also did not report client information, thus allowing every adviser involved to breathe a sigh of relief.
That doesn't mean BlackRock isn't taking the matter seriously. In a statement, BlackRock said it "recognizes the seriousness of the error and we deeply regret that it occurred. We always seek to treat the information entrusted to us with great care."
The lack of personally identifiable information also means BlackRock might avoid any regulatory enforcement, at least in the U.S., Mr. Miller said. However, it could be argued in Europe that adviser names and email addresses do count as PII under General Data Protection Regulation.
He also believes the U.S. could adopt similar regulations in the near future.
But any information leak demonstrates a breakdown in a firm's policy framework for handling sensitive information, according to Sid Yenamandra, CEO of cybersecurity firm Entreda. It highlights how good security is just as much about human behavior as it technology.
"What are the checks and balances of the organization?" Mr. Yenamandra said, noting that his firm sees scenarios like this fairly frequently. "Folks accidentally text stuff to the wrong person, post stuff to their websites, or email something and attach a sensitive spreadsheet. It happens a lot."
Mr. Yenamandra recommended advisers affected by the data leak immediately contact BlackRock to ask if there is anything they need to do. He also suggested advisers take the opportunity to evaluate how third-parties can access their data, and review policies around approvals for sharing sensitive information.
"You've got to have a protocol," he said. "You can't post information that contains any data about anybody without going through approval."
Mr. Yenamandra also commended BlackRock for its swift and decisive response.
"The fact that BlackRock actually came out and was upfront about this demonstrates they were proactive," he said. "A lot of organizations don't even know that there was a data leak until it comes up in a dark web search."
Though BlackRock attributed the breach to human error, Mr. Miller said there are plenty of ways the company could improve its infrastructure to avoid such a mistake. For example, the spreadsheets could have required a password to download.
Private Client Resources splits all client information between three different databases, he said. Therefore, if there was a breach, not enough information would be exposed to be useful.
"The takeaway here is that humans are not perfect, and this could have been critical," Mr. Miller said. "It highlights how hard data security is. The upcoming years are going to make these events very costly for businesses. It's not just going to be public relations."