Massachusetts-based Zevin Asset Management recently began notifying an undisclosed number of customers that their personal information was mistakenly made available online.
In September of 2013, an employee violated company policy by using an online service provider to host a document listing some custodian account user names and passwords. Although the final version of the document was password-protected, a test version wasn't, and was inadvertently left online from mid-September 2013 until December 30, 2013.
The accounts in question contain the clients' names, Social Security numbers and/or financial account numbers, and account holdings.
While there's no indication that any of the data was inappropriately accessed, the company is offering all those affected one year of free credit monitoring services.
"We are truly sorry that this incident has occurred and, upon learning of it, we took immediate measures to stop the potential breach and prevent any similar potential breach from occurring," Zevin president Benjamin Lovell wrote in the notification letter [PDF]. "We removed the documents at issue from the Internet, changed our user names and passswords, and reminded our staff of the critical importance of complying with our policies designed to protect our clients' personal information."