Voya Webpage Blunder Puts Advisor Social Security Numbers at Risk of Exposure
A technical malfunction on a Voya Financial Advisors webpage could have exposed its financial advisors’ social security numbers, according to news reports.
At the end of November, the company’s information technology team discovered that pasting the link to a broker’s biography webpage on social media or into a text message would display the advisor’s Social Security number within the link, according to a memo sent to Voya’s advisors on Friday, InvestmentNews writes.
The error was in place from April 9, 2016, until the end of November, the memo said, according to the publication. The memo added that Voya found no evidence the error had been “maliciously exploited,” InvestmentNews writes. It’s unclear how many of the firm’s 1,800 advisors and registered representatives were affected by the error, according to the publication.
A Voya spokeswoman tells InvestmentNews the glitch was due to “a coding configuration issue” and didn’t lead to exposure of any advisor’s personal information or unauthorized access.
"A number of conditions would have been required for an advisor’s information to be seen,” Voya spokeswoman Laura Maulucci tells the publication in an email. “There was no evidence of any unauthorized viewing of personal information in this manner."
This isn’t the first time in recent history Voya has run into cybersecurity issues. In September, the firm settled with the SEC for $1 million over alleged failures to guard client data, in what was the first enforcement case of the regulator’s Theft Red Flags rule.
That case involved an actual attack: for several days in 2016, cyber fraudsters allegedly called the firm’s support line impersonating Voya contractors to request password resets, which allegedly enabled them to gain access to personal information on 5,600 Voya clients. The intruders were also allegedly able to access three clients’ account documents.
Voya’s Friday memo to its advisors comes on the heels of a January data leak at BlackRock that exposed sales-related personal information, such as names and email addresses and sales representative contacts, of 20,000 financial advisors.
This included three-quarters of all of LPL Financial’s 16,000 advisors. And in November, analytics firm Capital Forensics Inc. discovered an unauthorized person was able to access a third-party file-sharing platform it used for its clients, which includes LPL.
Dan Arnold, LPL’s president and CEO, told the firm’s brokers in a memo that all LPL data was immediately removed, but the firm didn’t say how many advisors or clients were affected, InvestmentNews wrote at the time.