State’s error unveiled Social Security numbers

Data sent on 139,000 investment advisers

By Todd Wallack
Globe Staff / July 6, 2010

E-mail this article

Invalid E-mail address
Invalid E-mail address

Sending your article

Your article has been sent.

Text size +

The Massachusetts secretary of state’s office, which is charged with enforcing financial rules for investment companies, accidentally released confidential personal information earlier this year on 139,000 investment advisers registered with the state.

The data, including the advisers’ Social Security numbers, were on a CD-ROM sent to IA Week, an investment industry publication that had requested public information from the Securities Division, which Secretary of State William F. Galvin oversees.

IA Week had asked for a list of registered investment companies. The Securities Division responded by sending a list of individual investment professionals.

In addition to their names and Social Security numbers, this list included their dates and locations of birth, height, weight, hair color, and eye color.

“It’s a pretty big mistake,’’ said Carl Ayers, IA Week’s publisher. “It’s pretty shocking, because it’s such a large number of people.’’

IA returned the database to the Securities Division in June and wrote about the episode last week.

Brian McNiff, a spokesman for Galvin, said a new employee erred by not deleting the Social Security numbers and other information that is normally withheld. McNiff said IA Week returned the CD-ROM with a letter stating it had not made any copies of the data, so the state has no reason to think anyone was harmed.

“It’s an unfortunate mistake,’’ McNiff said. “It obviously was not done according to [standard] practice.’’

Under Massachusetts law, organizations are required to notify the individuals affected, the state attorney general, and the director of consumer affairs whenever a security breach occurs that exposes the personal information of Massachusetts residents.

McNiff said the Securities Division is trying to determine whether it needs to notify anyone, since it has recovered the data and does not believe it was ever misused.

The episode is a fresh reminder that data breaches — whether involving theft or mistakes — are becoming more common as companies compile greater amounts of electronic data. As of last fall, Massachusetts regulators had received reports from companies of more than 800 data breaches that potentially affected more than 1 million residents of the state.

Tufts University, for instance, recently warned thousands of alumni that their information may have been exposed.

In March, Citigroup told state regulators that “due to a processing error,’’ it had printed the Social Security numbers of some customers on the outside of envelopes mailed in February, potentially exposing personal information for more than 12,000 Massachusetts residents.

The Social Security numbers were included in a string of other numbers and letters so that they looked like mail routing codes, Citigroup said, so the company did not have any reason to believe Social Security numbers were misused.

Todd Wallack can be reached at