Merrill Cyber Leak Exposes Walmart 401(k) Participants

Walmart

Image Credit: © Splosh | Dreamstime.com

Over a thousand participants in the Walmart 401(k) Retirement Plan were exposed to a data breach by recordkeeping provider Merrill Lynch, after an employee accidentally revealed private information that included names and Social Security numbers to an unauthorized user.  

The data breach impacted 1,883 Walmart employees who were enrolled in the company’s 401(k) Retirement Plan, according to a notice by the Maine Attorney General’s office. As reported in the notification letter, “on April 16, 2024, a Merrill employee inadvertently disclosed personal information to an unauthorized recipient via an isolated email error.”

The letter goes on to note that Merrill became aware of the incident on April 22, 2024, and notified impacted individuals on May 23, 2024. The email has since been confirmed deleted, and neither Merrill nor Maine’s Attorney General have been notified of any misuse of the personal information disclosed.

As a result, Merrill said it would provide complimentary two-year membership with Experian Credit Monitoring, an identity theft protection service, for affected individuals. Information about the services is contained in the notification letter sent to impacted participants.


Merrill currently functions as Bank of America’s investment and wealth management division. Walmart’s 401(k) plan holds $36.7 billion in assets among 1,946,270 participants, according to its latest Form 5500 filing.

The breach comes a few months after the Securities and Exchange Commission (SEC) vowed to prioritize cybersecurity practices in 2024. In its examination priorities last year, the agency said it would focus on registrants’ policies and procedures, internal controls, oversight of third-party vendors, governance practices, and responses to cyber-related incidents, including ransomware attacks.

“Part of this review will consider whether registrants adequately train staff regarding their identity theft prevention program and their policies and procedures designed to protect customer records and information,” the SEC stated at the time.

SEE ALSO:

Exit mobile version