Wells Fargo has asked judges to order the return of a trove of data on tens of thousands of wealthy clients accidentally leaked by a lawyer representing the bank.
The highly sensitive data was sent by accident earlier this month by Angela Turiano, who represents Wells Fargo at law firm Bressler Amery Ross.
It was sent to Aaron Miller, representing former Wells Fargo employee Gary Sinderbrand in a case against the bank and his brother in New Jersey. Miller then shared it with Aaron Zeisler, who is representing Sinderbrand in a parallel lawsuit in New York, according to Reuters.
A statement from Wells Fargo Advisors seen by the newswire had the following:
"We take the security and privacy of our customers’ information very seriously. Our goals are to ensure the data is not disseminated, that it is rapidly returned, and that we ensure the discovery process going forward in the cases is working as it should."
The information accidentally leaked included client names, Taxpayer Identification Numbers, assets under management, portfolio performance, mortgage information and details on 529 education savings plans, according to the New York Times.
Sinderbrand’s lawyers should have been sent only a small selection of emails and documents relevant to the defamation lawsuit.
Tony Urbanovich, COO of risk exchange platform provider CyberGRX, argued the incident highlights the dangers of third parties misusing data, even by accident.
“In the case of Wells Fargo, that translates to thousands of third parties, any one of whom could cause real financial and reputational damage if compromised,” he added. “It’s critical that organizations hold the third parties they interact with accountable to the same standards of data protection they adhere to internally, and that starts with measuring and monitoring third-party risk exposure.”
Law firms are an increasingly popular target for hackers given the large volumes of sensitive data they hold and process on behalf of their clients, and the sometimes sub-par security controls implemented to protect that data.
Three Chinese nationals were charged several months ago with hacking the servers of two law firms in order to obtain M&A information which enabled them to make $4m in an insider trading scam.