Close Close
Popular Financial Topics Discover relevant content from across the suite of ALM legal publications From the Industry More content from ThinkAdvisor and select sponsors Investment Advisor Issue Gallery Read digital editions of Investment Advisor Magazine Tax Facts Get clear, current, and reliable answers to pressing tax questions
Luminaries Awards
ThinkAdvisor
The rear view of a person in a hoodie, working on a computer.

Regulation and Compliance > Cybersecurity

MOVEit Hack Put Fidelity Retirement Plan Participant Data at Risk

X
Your article was successfully shared with the contacts you provided.

What You Need to Know

  • The incident didn't result from a breach at Fidelity itself, an outside firm told consumers.
  • About 371,000 individuals with Fidelity-administered retirement accounts were affected.
  • The hack has affected customers of hundreds of companies, including Schwab.

Personal data for more than 371,000 individuals with Fidelity-administered retirement plans, or beneficiaries, may have been exposed to hackers who breached an outside file transfer system, Progress Software’s MOVEit, according to a notice from Pension Benefit Information, which uses the software.

The breach is part of a broad criminal hacking operation related to a vulnerability in the MOVEit transfer software, according to PBI, which operates as PBI Research Services. The hack has affected hundreds of companies and government agencies globally.

The incident didn’t involve a breach at Fidelity itself, the notice said.

PBI provides audit and address research services for Fidelity Investments, which handles administrative services for certain retirement plans, according to a filing made to the Maine attorney general’s office last week.

The company is sending notices to 1,912 affected consumers in Maine, but the exposure is far larger.

A report posted on the Maine AG’s website indicates the affected Maine residents were part of a hack involving 371,359 individuals.

A Fidelity spokesman confirmed to ThinkAdvisor on Monday that those people either have a Fidelity-administered retirement plan or are beneficiaries of deceased plan participants.

Fidelity’s systems weren’t affected, the spokesman said. The investment giant had provided plan participant information to PBI and a “bad actor” exploited the MOVEit software vulnerability before it was patched, he explained.

Industry website Ignites reported about the breach on Friday.

Filing in Maine 

“Although we have no indication of identity theft or fraud in relation to this event, we are providing you with information about the event, our response, and additional measures you can take to help protect your information,” PBI wrote in a notice to potentially affected Maine consumers, cited in the filing.

“Please note that this incident is not the result of any breach at Fidelity Investments or (an unidentified client),” it explained. ”Fidelity has indicated that your accounts at Fidelity continue to be covered by Fidelity’s Customer Protection Guarantee.”

The breach occurred May 29-30 and was discovered June 2, according to the filing.

As of March 31, there were 44.5 million retirement accounts, including 22.7 million participants in 24,800 corporate defined contribution plans, on Fidelity’s platform.

After Progress Software disclosed a software vulnerability around May 31, PBI launched an investigation into the MOVEit vulnerability’s effect on PBI’s systems.

“Through the investigation, we learned that an unauthorized third party accessed one of our MOVEit Transfer servers … and downloaded data,” according to the message, included in the filing with the Maine AG’s office. PBI also filed the consumer notice with the California attorney general’s office.

PBI’s investigation determined the hackers could have gained unauthorized access to an affected person’s name, partial mailing address, Social Security number and birth date. The company is offering 24 months of credit monitoring and identity theft restoration services.

The affected individuals participate in workplace retirement plans across the country that Fidelity administers or for which it keeps records, the Fidelity spokesman told ThinkAdvisor.

PBI’s investigation included a comprehensive analysis to determine what information was obtained by the threat actor and which companies and individuals were affected, according to Fidelity.

“After we received notice of the incident from PBI, we suspended the data transmissions to PBI and began our own investigation. We validated the information provided by PBI, ensured proper notifications were being carried out, and ensured credit monitoring was available for all impacted individuals,” the spokesman said in an emailed statement.

 ”We continue to monitor participants’ accounts for suspicious activity and take the protection of client data and information very seriously and it is a top priority for Fidelity.  We understand the trust that clients place in us to protect their data. Fidelity has an extensive range of safeguards and multiple layers of security in place to protect the security of our systems,” he added, citing information on the company’s security practices.

Fidelity noted that MOVEit is a managed file transfer software that many companies worldwide use in the regular course of business. The Cybersecurity and Infrastructure Security Agency has publicly reported that the “CL0P” cybercriminal group is responsible for the MOVEit Transfer incident, the firm said.

Schwab, TD Ameritrade Client Data

Meanwhile, on July 7, Charles Schwab posted a notice that TD Ameritrade has “limited use” of the eMOVEit transfer tool hit by hackers and that some client data was affected.

Schwab’s TD Ameritrade has “taken immediate action by containing the threat and halting any use of MOVEit Transfer,” the notice said. “We have also alerted and are working with law enforcement. The incident did not impact Ameritrade or Schwab’s business operations or other systems.

“The incident affected some client data. However, we believe less than 0.5% of clients may have been affected. We continue to actively investigate the incident in close consultation with independent forensic experts. We will provide more updates to clients and will communicate with them directly, as appropriate.”

Schwab and TD Ameritrade provide clients with security guarantees for losses due to unauthorized activity in their accounts, according to the notice, which directed customers to Ameritrade’s asset protection guarantee.

Image: Shutterstock


NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.