The latest high profile leak to make headlines wasn’t the result of an attack, a security breach, or even a bug. Rather, the leak of thousands of sensitive documents from embattled bank Wells Fargo was the result of an accident. As the New York Times reported, “Wells Fargo … turned over — by accident, according to the bank’s lawyer — a vast trove of confidential information about tens of thousands of the bank’s wealthiest clients.”
It is estimated that a staggering 50,000 individual customers had their data inadvertently shared with lawyers as part of 1.4 gigabytes of files (on a CD, no less) that Wells Fargo willingly turned over. And that data included quite a bit of sensitive information, including customers’ names, social security numbers, the size of their investment portfolio, and the fees the banks charged. The majority of the affected customers are clients of Wells Fargo Advisors, the branch of the bank that serves high-net-worth investors.
Initially, the documents requested from Wells Fargo were part of a defamation lawsuit against a bank employee, and were intended to be no more than a few emails and documents directly related to the case. But clearly, lawyers for Gary Sinderbrand, the employee in question, received much more than they bargained for. According to the Times, “The files were handed over … with no protective orders and no written confidentiality agreement in place between [a former employee’s] lawyers and Wells Fargo’s.”
That means that it would be totally legal for the recipients of these files to simply release the materials or include them in legal findings, making them publicly available.
So how did this happen? According to Bressler, Amery & Ross, the law firm Wells Fargo hired to deal with the case, was working with an outside vendor who apparently failed to adequately vet the documents to ensure that only necessary files were being sent over. Lawyer Angela Turiano called the disclosure was “inadvertant” and in an email exchange, noted, “Obviously this was done in error and we would request that you return the CD asap so that it can be properly redacted.”
Lawyers for Sinderbrand noted that the former employee plans on keeping the CD and its contents confidential. “We are continuing to evaluate his legal rights and responsibilities,” laywers said. “Wells Fargo has not identified what specific documents it asserts were inadvertently exposed.”