Walmart Data Breach: What Happened and How?

In April 2024, Walmart’s retirement plan administrator, Merrill Lynch, experienced a security incident that revealed how even small internal oversights can create outsized risks. The breach, while limited in scope and unintentional in nature, affected nearly 1,900 Walmart employees participating in the company’s 401k plan.

Rather than stemming from cybercriminal activity or technical failure, the incident was the result of a simple human mistake—one that serves as a reminder of how critical it is to secure internal workflows, not just external threats.

What Happened?

On April 16, 2024, a Merrill Lynch employee unintentionally sent an email that included the personally identifiable information (PII) of 1,883 Walmart 401k participants to an unauthorized recipient. The email contained sensitive details such as full names and Social Security numbers.

The mistake was quickly identified. Within six days—by April 22—Merrill Lynch had discovered the error, alerted Walmart, and submitted a formal regulatory notice in Maine. The company also began notifying affected individuals by mail.