As if the financial sector wasn’t in enough of tailspin recently, Merrill Lynch reported at least five security breaches during the last quarter of 2008. Reports filed by the firm with several states attorney general reveal that:
- On September 3, the company reported a lost laptop containing personally identifiable information to New York State. That report is not currently available online.
- On September 15, the company reported a stolen laptop to New York State. That report is also not currently available online.
- On September 18, the company reported a stolen laptop to Maryland that contained names, addresses, dates of birth, and social security numbers. The report is not available online, and Merrill Lynch has not responded to two inquiries as to whether this was the same laptop reported to NYS or a separate incident.
- On October 9, the company notified Maryland that an external hard drive was lost or stolen during transport to a facility. Information on the drive included clients’ names, social security numbers or tax ID numbers, dates of birth, addresses, phone numbers, email addresses, passport numbers, drivers license numbers, Merrill Lynch account numbers, loan information, insurance policy information, other financial account information, and online user credentials.
- On December 16, the company notified New Hampshire of a stolen laptop containing personal information. The laptop, which was stolen from the firm’s Tacoma office on November 26, contained client information including name, Social Security number, address, telephone number and email address.
- On December 29, the company notified New Hampshire that another laptop was stolen, this one from the home of a third-party contractor’s employee. The theft occurred early in December, and the laptop contained names and social security numbers of “a population of current and former Merrill Lynch Financial Advisors and some applicants for employment.” The laptop did not contain any additional personal or financial information, nor any client data.
The number of employees or clients affected by these breaches was not revealed, and Merrill Lynch has not responded to several requests for additional information.
Past Known Breaches
In 2007, Merrill Lynch reported two data losses to New Hampshire: a laptop stolen from a New York office that contained client information, and a storage device theft affecting 33,000 employees that was reported in the media. Two incidents reported to New York in 2006 were not reported in the media. One involved a laptop stolen from a third-party tax preparer that contained information on 300 individuals. The other involved a laptop stolen from an employee’s vehicle that contained client account data on 10,500 New York residents and 2,800 North Carolina residents; the total number of clients affected was not reported. Other breaches may have been reported to New York for 2007, but complete 2007 data from NYS have not yet been obtained.