Sentry Life Insurance is a service provider for many companies’ 401k plans. In that capacity, they assist clients in the preparation of, and submission of, the plans’ Form 5500 to the Department of Labor.
On July 2, Sentry discovered that some plans’ Form 5500 submissions to DOL contained an attachment with the individuals’ names, Social Security numbers, and in some cases, 401k account balances.
To make matters worse, it seems the DOL uploaded the plans’ 5500 Forms to its EFAST2 website, where anyone can search for a plan’s filing, then click a link and download it.
In their July 11 letter to the Maryland Attorney General’s Office reporting the breach, Sentry’s Associate Counsel, Gregg S. Bott, writes:
It is our understanding that the DOL’s system has scrubbers/filters designed to catch and prevent Personal Information from being posted on its site.
It appears from Sentry’s letter, however, that EFAST2’s scrubbers/filters did not prevent the attachments from being uploaded with the 5500 Form. Bott writes that Sentry contacted DOL on July 2 to request all personal information be removed, and on July 9, DOL confirmed that all PII had been successfully removed. Sentry confirmed the removal on July 10 by visiting the EFAST2 site. But DOL was not able to verify whether the forms with the attachments had been accessed, which raises a second question about the DOL’s procedures: (1) how is that the attachments got uploaded to begin with, and (2) why can’t DOL determine whether files are being accessed?
Sentry offered those affected a free year of credit monitoring.
Mulling this over, I’m tempted to treat this as two breach incidents – one for Sentry Life Insurance and one for DOL.