Wells Fargo accidentally leaked thousands of sensitive documents of 50,000 clients to a former financial adviser who subpoenaed the bank as part of a defamation lawsuit against a bank employee. The New York Times reported on Friday (21 July) that Wells Fargo's lawyer inadvertently sent 1.4GB worth of files to former Wells Fargo employee Gary Sinderbrand's lawyer in a CD that contained troves of spreadsheets with customers' names, Social Security numbers, financial details such as the size of their investment portfolios and fees charged by the bank.
"Most are customers of Wells Fargo Advisers, the arm of the bank that caters to high-net-worth investors," NYT reported. "In all, Mr Sinderbrand said, these clients have tens of billions of dollars invested through Wells Fargo, all laid out in vivid detail for him as part of the discovery process in his lawsuit."
The documents requested from Wells Fargo as part of the defamation lawsuit were supposed to be select emails and documents related to the case.
Angela A Turiano, the lawyer who sent him the files on a CD, said the "inadvertent" disclosure was caused due to working with an outside vendor that was supposed to screen the documents and only pass on those relevant to Sinderbrand's case.
"We went through a long process of a very large email review with an outside vendor with instructions on exclusion which was spot checked. Clearly there was some type of vendor error — which I am confirming now," Turiano wrote in an email to Sinderbrand's lawyer, NYT reported. "Obviously this was done in error and we would request that you return the CD asap so that it can be properly redacted."
The New York Times confirmed the contents of the documents, noting that the files contained extensive information of Wells Fargo's financial advisers, their compensation, performance and client lists. One file featured sensitive details on a "well-known hedge fund billionaire's" holdings who had at least $23m (£17.7m) invested through Wells Fargo Advisers.
The files were reportedly sent over with no protective orders or written confidentiality agreement between the lawyers. The Times also noted that the documents, which were not filed in court, could legally be released or included in Sinderbrand's legal filings that would then become public record.
Aaron Zeisler, one of Sinderbrand's lawyers, said his client intended to keep the material "secure and confidential".
"We are continuing to evaluate his legal rights and responsibilities," Zeisler said. "Wells Fargo has not identified what specific documents it asserts were inadvertently exposed."
NYT reports that the disclosure could be classified as a data breach that violates state and federal consumer data privacy laws. Wells Fargo will also be required to notify the affected customers whose data was inadvertently exposed.
The latest incident comes amid serious digital security concerns over increasingly frequent and sophisticated cyberattacks and data breaches, accidental data leaks and sensitive personal data potentially being exploited by threat actors.
IBTimes UK has reached out to Wells Fargo for comment.
"Wells Fargo takes the security and privacy of our customers' information seriously," a bank spokesperson told Bloomberg. "The information was provided in response to a subpoena issued in connection with a lawsuit and delivered to an attorney. We will determine whether any information was inadvertently provided and will take the proper steps based on the outcome of our investigation."