Data Breach at Merrill Exposes Personal Information of Walmart 401(k) Participants

An isolated email error caused Walmart retirement plan participants’ names and Social Security numbers to be exposed.

A total of 1,883 employees who participate in the Walmart 401(k) Retirement Plan were notified on Thursday about a data breach that occurred at Merrill Lynch, Pierce, Fenner & Smith Inc., which provides recordkeeping services for the retirement plan, according to a notice on the Maine Attorney General’s website. 

The notice stated that on April 16, a Merrill employee inadvertently disclosed personal information to an unauthorized recipient via an isolated email error. The personal information included in the email was first names, last names and Social Security numbers. 

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

Merrill, is a subsidiary of Merrill Lynch & Co. which is part of Bank of America Corp., became aware of the incident on April 22 and stated in the notice that the email has been “confirmed deleted.” 

The recordkeeper stated that they are not aware of any misuse of the personal information disclosed.  

The Walmart plan had $36.7 billion in assets and 1,946,270 participants, according to the latest Form 5500 filed with the Department of Labor. 

To mitigate the issue, Merrill is providing a complimentary two-year membership in an identity theft protection service eligible for affected individuals. The product provides participants with daily monitoring of their credit reports from three national credit reporting companies—Experian, Equifax and TransUnion.  

A spokesperson at Merrill said given the disclosure the company made to the Maine Attorney General, the company does not have any further comment.  

“As the notice shows, this impacted just some participants,” the spokesperson said. 

A similar data breach incident occurred earlier this year when more than 451,000 plan participants at J.P. Morgan Chase had their personal information exposed after a software issue caused certain reports run by three unauthorized system users to include participant information that they were not entitled to see. According to J.P. Morgan, the breach was not part of a cyberattack and there was no indication of data misuse. 

Walmart did not immediately respond to a request for comment on the data breach incident.  

«