BlackRock Accidentally Exposes Confidential Sales Data For Thousands Of Financial Advisors

As we've pointed out before, the notoriously high fees charged by financial advisors aren't the only reason why young people are opting for low-cost robo-advisors (or simply stashing their money in an index-tracking ETF that charges 3 basis points a year) instead of human advisors. There's also the issue of whom financial advisors serve: Their clients - to whom they have a fiduciary obligation - or the big wirehouses and fund managers who supply their product?

Well BlackRock, which holds the title of world's largest asset manager, with more than $5 trillion AUM, appears to have inadvertently affirmed that thousands of financial advisors serve their masters first, and their clients second. 


Because in what Bloomberg described as an embarrassing and incidental slip up - the result of an unforced error - BlackRock accidentally published details about its sales relationship with thousands of financial advisors.

In three spreadsheets accidentally published on a webpage associated with BlackRock's iShares ETF business,  thousands of financial advisors were given ratings based on how much business they bring BlackRock. Some were classified as "dabblers" or "power users". Some had even achieved "Club" status, including membership in a "Patriot's Club" or "Director's Club".

But despite the insight this offered into the relationship between BlackRock and the army of "independent" financial advisors responsible for selling its products, BBG didn't seem to give these revelations much thought. Instead, they focused on the fact that this is probably the most embarrassing Wall Street data breach since JPM's 2014 breach - the only difference being that the latter was perpetrated by malicious hackers.

BlackRock Inc., the world’s largest asset manager, inadvertently posted confidential information about thousands of financial adviser clients on its website.

The data appeared in three spreadsheets, linked on one of the New York-based company’s web pages dedicated to its iShares exchange-traded funds. The documents included names and email addresses of financial advisers who buy BlackRock’s ETFs on behalf of customers. They also appeared to show the assets under management each adviser had in the firm’s iShares ETFs.

The links were dated Dec. 5, 2018, but it’s unclear how long they were public. The documents were seen by Bloomberg and removed Friday. BlackRock, which oversees assets of almost $6 trillion, is the world’s largest issuer of ETFs.

One of the spreadsheets appears to list more than 12,000 entries of advisers and their sales representatives at BlackRock. On another, the advisers were categorized in a variety of ways such as “dabblers” or “power users.” A column noted their “Club Level” including the “Patriots Club” or “Directors Club.”

A BlackRock spokesperson said the company was reviewing the accidental leak, and hinted that two "distribution partners" (i.e. the BlackRock employees responsible for wholesaling the company's financial products) were likely to blame for the leak.

"We are conducting a full review of the matter," spokesman Brian Beades said in a statement Friday.  "The inadvertent and temporary posting of the information relates to two distribution partners serving independent advisers and does not include any of their underlying client information."

Securing data is known to keep Wall Street leaders awake at night. But most often, senior executives cite a fear of hackers, which has prompted some of the nation’s biggest banks to pour upwards of $1 billion a year into cybersecurity. It’s one area where financial firms set aside bitter rivalries, sharing tips and collaborating on projects to ensure the public remains confident in the industry - and that it never suffers a catastrophic loss.

According to one cybersecurity expert quoted by Bloomberg, the best way for Wall Street firms to mitigate the fallout from cybersecuriuty scandals is to 'accurately communicate what happened', adding that the firms' initial response is crucial.

Firms can’t avoid breaches entirely, but they can react to them in a way that rebuilds trust, said John Reed Stark, who focused on internet crimes while working in the Securities and Exchange Commission’s enforcement division and now runs a cybersecurity consulting business.

“Data security incidents are inevitable,” he said after the incident at BlackRock. “The most important thing in this kind of situation is about the response from the firm, and whether they’re communicating accurately about what happened.”

And what better way to restore confidence in one's business than by deflecting blame for its mistakes?