Walmart’s 401(k) Plan Data Breach – A Postmortem Through the Prism of External Data Privacy Management

It was recently reported that more than a thousand employees of retail giant Walmart were victimized by a serious data breach.  More specifically, these employees were all participants in Walmart’s employee 401(k) plan. External data privacy was once again at the center of a major breach. This time it was a breach of secure information systems at Merrill, the plan administrator that exposed 1000 employees’ sensitive, personal financial data including Social Security Numbers.  Merrill is a subsidiary of financial behemoth, Bank of America.  

This incident is a superb illustration of how a single security failure often impacts multiple organizations at its inception and almost always results in the victimization of even more groups over time. 

The ensuing postmortem of the Merrill/Bank of America/Walmart 401(k) breach shines a light on several hot button issues from the realm of the information security and data privacy protection industries.  Particularly, the role of third-party vendors in data breaches.  It also reflects upon the current sclerotic state of regulations and the wholesale inadequacy of regulatory bodies to address the threats posed by weak or entirely absent data privacy protection practices.

KNOWN FACTS OF THE ATTACK

On May 23, 2024, Bank of America filed a notice with the Maine attorney general’s office.  It the notice, it was revealed that more than 1,800 participants in Walmart’s 401(k) retirement plan had their names, Social Security numbers and other PII exposed as the result of a data breach. 

The filing also disclosed that an employee of the retirement plan’s record keeper, Merrill Lynch, had mistakenly disclosed this personal information to an unauthorized party on April 16.  The filing characterized this as “an isolated email error” and that Merrill first learned of the breach on April 22.

Merrill sent a letter to those customers impacted by the breach promising that the “errant email” had been deleted.  They also claimed they were not aware of any inappropriate use of the personal information that had been exposed and offered two years of complimentary membership in Experian IdentityWorks, an identity-theft protection service. 

This latest instance of retirement plans being targeted by hackers is perhaps not surprising, as financial institutions are an obvious target for threat actors.  What might not be widely recognized, yet relatively feasible for hackers to discern, is that retirement plans’ distinct operational framework presents several possible vulnerabilities, as indicated by experts. The contributions and information of plan participants are frequently passed between various entities before reaching the financial institution responsible for managing the plan.

Planadviser is a journal serving the retirement planning industry. In a 2024 article titled, “401(k) World: Cyber Thieves”, Planadviser distills the vulnerability at the heart of this type of attack against 401(k) plans.  The article quotes CTO Marc Bleicher from a D.C.-based digital incident response company.  Bleicher correctly notes that because financial institutions typically employ the best, newest and strongest security, electronic theft of funds from these organizations “would be extremely difficult”.  Instead, Bleicher points to other strategies being embraced by threat actors.  401(k) plans typically use a “software supply chain” to build out their applications and supply chain vulnerabilities are particular sources of breaches using social engineering vectors.  KnowBe4’s Roger Grimes notes in the same article that social engineering accounts for between 70% and 90% of all successful hacks.  

Moreover, as was the case with the Walmart 401(k) hack, most retirement plans are managed by one institution but leverage numerous, third-party management companies to administer the plans.  So, there is both a software supply chain and a physical supply chain vulnerability at play.  And the entire chain is only as strong as the weakest link’s external data privacy protocol.  This is why Privacy Bee for Business delivers Vendor Risk Management assessments – free of charge – for organizations seeking to understand the risks posed by their third-party vendor relationships.

Also, for more on how supply chains and third-party vendors present a risk, read Privacy Bee’s “Primer on Supply Chain Privacy Risk”.

INITIAL CONSEQUENCES

Unlike many of the other breaches examined in this series of postmortem reviews, the breach of Walmart’s 401(k) plan triggered a cascade of interventions from governmental and regulatory bodies.  Only a few short months before this breach, the Security and Exchange Commission (SEC) resolved to prioritize cybersecurity practices in 2024.  The SEC announced it would be explaining focus on “registrants’ policies and procedures, internal controls, oversight of third-party vendors, governance practices, and responses to cyber-related incidents, including ransomware attacks” according to 401(k) Specialist Magazine.  The subsequent exposure of Walmart’s plan data added additional urgency to this imperative. 

The SEC’s Division of Examinations, released its yearly examination priorities, analyzing practices, products, and services that it believes present potentially heightened risks to investors or the integrity of the U.S. capital markets. SEC Chair Gary Gensler said, “In examining for compliance with our time-tested rules, the Division helps registrants understand the rules as well as ensures that markets work for investors and issuers alike.”  Among the priorities enumerated in this SEC examination was an entire section on “Cyber-Resiliency” which is intended to focus on registrants’ policies, procedures, internal controls, oversight of third-party vendors, governance practices and responses to cyber-related incidents including ransomware and other attacks. “Part of this review will consider whether registrants adequately train staff regarding their identity theft prevention program and their policies and procedures designed to protect customer records and information,” the SEC noted.

The close timing of the SEC’s announcement and the Walmart/Merrill breach catalyzed a flurry of media attention as well as an acute interest within corporate boardrooms.  The warnings of this precise vulnerability, followed so quickly by an actual instance of this exact kind of activity helped clarify the need for solutions to prevent attacks of this nature – as opposed to curative solutions to be applied after an attack.  Further clarified was a new piece of emerging conventional wisdom holding that external data privacy failures are to blame for the rising numbers of data breaches.

Seeking to get a clear, data-driven view into their organizations’ external data privacy risk, CISOs and other InfoSec leaders have – in the wake of the Walmart breach and others – been turning to scans like the External Data Privacy Audit and Employee Risk Management scan offered by Privacy Bee for Business at no charge. 

As a highly regulated industry, retirement investment companies are being required to develop, articulate, deploy and maintain strict governance, risk and compliance (GRC) programs related to their external data privacy management practices.  This is an area in which Privacy Bee leads the way, publishing detailed “how-to” documents on developing and deploying external data privacy metrics and KPIs, expressly for purposes of enabling the GRC being mandated by the SEC and other regulatory bodies.

ATTACK VECTORS AND EXTERNAL DATA PRIVACY MANAGEMENT

The two acknowledged vectors for the Walmart/Merrill 401(k) breach are a phishing-based business email compromise attack and an attack leveled against a third-party vendor.  In this case, the breach affected Walmart, but was initiated by an attack on Merrill (and parent company Bank of America).  The two vectors – social engineering and third-party vendor targeting – work hand in glove.  Threat actors utilize social engineering attacks like spear phishing and others to circumvent the information security defenses either in the physical supply chain (in this case the 401(k) plan administrator) or to inject malicious code into pieces of open source or other software eventually sourced through the software supply chain for use in application development.

We know that phishing and other social engineering accounts for the vast majority of breaches experienced today.  According to SC magazine, Phishing emails have increased by 341% and 856% during the past six and 12 months, respectively, with the surge mostly attributed to the increasing adoption of ChatGPT and other generative artificial intelligence services among threat actors, reports SiliconAngle.  Generative AI has also propelled a 27% growth in business email compromise attacks over the trailing two quarters while credential phishing has emerged as the leading breach access point, following a 217% increase during the same period, according to a SlashNext report.  

We also have evidence supporting the position that the profile of third-party risk management has grown in stature in the last several years.  Consider that the Mastercard RiskRecon and Cyentia Institute’s 2020 research report “State of Third-Party Risk Management in 2020” found the following facts through its survey of 154 active third-party risk management professionals, members of the Third Party Risk Association and a large LinkedIn Peer Group.  This exhaustive survey revealed:

• 79% of organizations had formal programs in place to manage third-party risk in 2020
• 84% of companies used vendor questionnaires as their most common risk assessment method
• 69% used documentation reviews
• 50% used remote assessments
• 42% used cybersecurity ratings and,
• 34% used onsite security evaluations

External data privacy practices must not only be applied to your organization.  They should also be extended to provide coverage to any third-party vendors with whom any degree of information systems access is shared.  Vendor Risk Management is the name of the game for ensuring that weak or non-existent external data privacy policies don’t expose your organization to breaches the way Merrill’s weakness impacted Walmart’s 401(k) plan.

Gartner says VRM is an essential requirement and defines the functions of effective VRM solutions.  They suggest critical capabilities should include:

• Automation of part or all the assessment, analysis and control validation process
• Providing remediation and mitigation guidance
• Facilitating the monitoring of risks associated with vendors and other third parties that access, support or control information assets
• Acquisition, analysis and reporting of vendor risk data sourced from public and private sources

LONGER TERM CONSEQUENCES

The Walmart 401(k) breach was but one of a recent spate of attacks on 401(k) plan administrators for the reasons evinced earlier in this paper.  The US Department of Labor and the SEC are both clamoring for increased regulatory oversight in the wake of this attack.  Something that will have significant ramifications from a compliance perspective for any organization offering 401(k) retirement plan options as part of their compensation packages to attract and retain employees. 

Bloomberg Law writes, “The US Labor Department’s first-and-only cybersecurity guidance for retirement plans in 2021 was aimed at its primary enforcement target: plan sponsors, who take on a fiduciary duty of prudence and loyalty to the participants and beneficiaries of the plans they oversee.”  To this end the DOL and victimized plan participants have filed lawsuits against retirement account recordkeepers like JP Morgan and Alight Solutions, who’ve both also been victimized by threat actors.  The suit against JP Morgan alleges the recordkeeper failed to prevent the breach of customer PII for nearly half a million plan participants. 

The Securities and Exchange Commission’s Regulation S-P and the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model provide simple technical controls organizations could adopt to protect sensitive data (including unsecured external data).  However, in the absence of a legal standard, compliance will remain elective on the part of information technology professionals, compliance personnel, and executives.

The JD Journal writing on this issue as it pertains specifically to the Walmart breach says, “Service providers typically avoid fiduciary obligations in their contracts, bypassing direct Department of Labor (DOL) oversight. The DOL’s stance is that it is the plan sponsors’ responsibility to prevent data breaches” and likens the process of protecting a retirement plan to a chain, with multiple entities involved, including the employer and the record keeper, where data moves from one to the next. The ultimate responsibility for data protection falls on the plan sponsor.

Industry watchers largely agree that data privacy for retirement plan administrators as third parties should be written into addenda to the 1974 Employee Retirement Income Security Act of 1974 (ERISA) which currently governs fiduciary responsibility.  The idea being that any company failing to prevent a breach would be liable for the fiduciary responsibility and could therefore be responsible for making whole any losses that stem from it.

It remains to be seen how the SEC, DOL and other bodies ultimately devise and enforce new regulations to address this novel and growing threat.  What is certain however is that some form of new law or regulation is imminent and organizations will soon require concrete ways of managing external data privacy and proving compliance with both their internal business rules and external regulations.  

HOW EXTERNAL DATA PRIVACY MANAGEMENT COULD HAVE PREVENTED THIS ATTACK

Managing and protecting access to the PII of every single employee and those of all third-party affiliates (like vendors and other partners) may seem like an overwhelming challenge.  Knowing there are 350+ People Search Sites and data brokers, dozens of social media platforms, powerful search engines and tons of publicly searchable data makes it an even more sobering prospect.  Sitting around waiting for defenses to fail is not an option.  Act on the offense and disrupt attacks before they start.  Here are some of the broad solution elements from Privacy Bee to help immediately begin shrinking the attack surface back to acceptable tolerances.

Privacy Bee’s Employee Risk Management (ERM) solution is an easy but powerful way to get visibility into your External Data Privacy risk. After just a few minutes to load and configure your employees (usually an exported CSV from your HCM software), Privacy Bee automatically begins scanning hundreds of external sources, searching for any exposed privacy risks on each employee. Any discoveries are flagged as an exposure, and affect that person’s aggregated Privacy Risk Score.

ERM helps quickly paint a full picture of an organization’s real-time cyber risk from external privacy exposures. This privacy intelligence platform is 100% free for all businesses, powered by Privacy Bee.

Privacy Bee’s External Data Privacy Audit (EDPA) is another100% free, web-based privacy app for quickly and easily scanning employees PII exposure.  This tool set lets you build an extensive audit, identifying privacy exposures and vulnerabilities, then extrapolates potential financial impact across your company. It’s a critical view into risk assessment, operational inefficiencies, emerging cyber risk, and External Data Privacy management.

The EDPA provides unified employee audits, bringing together real-time dark web monitoring with 24/7 active clear web monitoring (Data Brokers, People Search Sites, paste sites, and more). Delivering a centralized view into public employee exposures, and insight into the tangible financial impact it has within your organization.

Privacy Bee’s Vendor Risk Management (VRM) extends the privacy bubble to targets outside your organization but who may have a degree of access to your sensitive information systems. This solution evaluates all your vendor/partner organizations for Electronic Data Privacy risks.  It then reports simple Privacy Risk Scores on each company, highlighting each vendor’s risk at a glance.   Analytics further break vendors down by department, risk tier, and more, with all thresholds fully customizable. While most vendor risk software stops at the report, Privacy Bee VRM keeps going, offering to work with all your 3rd party vendors 1-on-1 to decrease their vulnerabilities, effectively de-risking your company at no cost to you.

While all these (and other) audits and monitoring services are for use at no cost, removing employee PII from all unsafe locations on the net is what reduces the risk and the attack surface.  While this is a function your organization could take on as an internal activity, most organizations prefer to outsource the removal service for your employees and vendors identified as at risk to Privacy Bee.  Privacy Bee has teams of experts working 24x7x365 to scrub client employees’ PII from all unsafe corners of the internet.

Don’t wait to focus on shrinking the attack surfaces threatening your retirement plans.  Contact Privacy Bee today for a demo and more information on how to be proactive with data privacy and attack surface reduction in your organization.