What You Need to Know
- The incident didn't result from a breach at Fidelity itself, an outside firm told consumers.
- About 371,000 individuals with Fidelity-administered retirement accounts were affected.
- The hack has affected customers of hundreds of companies, including Schwab.
Personal data for more than 371,000 individuals with Fidelity-administered retirement plans, or beneficiaries, may have been exposed to hackers who breached an outside file transfer system, Progress Software’s MOVEit, according to a notice from Pension Benefit Information, which uses the software.
The breach is part of a broad criminal hacking operation related to a vulnerability in the MOVEit transfer software, according to PBI, which operates as PBI Research Services. The hack has affected hundreds of companies and government agencies globally.
The incident didn’t involve a breach at Fidelity itself, the notice said.
PBI provides audit and address research services for Fidelity Investments, which handles administrative services for certain retirement plans, according to a filing made to the Maine attorney general’s office last week.
The company is sending notices to 1,912 affected consumers in Maine, but the exposure is far larger.
A report posted on the Maine AG’s website indicates the affected Maine residents were part of a hack involving 371,359 individuals.
A Fidelity spokesman confirmed to ThinkAdvisor on Monday that those people either have a Fidelity-administered retirement plan or are beneficiaries of deceased plan participants.
Fidelity’s systems weren’t affected, the spokesman said. The investment giant had provided plan participant information to PBI and a “bad actor” exploited the MOVEit software vulnerability before it was patched, he explained.
Industry website Ignites reported about the breach on Friday.
Filing in Maine
“Although we have no indication of identity theft or fraud in relation to this event, we are providing you with information about the event, our response, and additional measures you can take to help protect your information,” PBI wrote in a notice to potentially affected Maine consumers, cited in the filing.
“Please note that this incident is not the result of any breach at Fidelity Investments or (an unidentified client),” it explained. ”Fidelity has indicated that your accounts at Fidelity continue to be covered by Fidelity’s Customer Protection Guarantee.”
The breach occurred May 29-30 and was discovered June 2, according to the filing.
As of March 31, there were 44.5 million retirement accounts, including 22.7 million participants in 24,800 corporate defined contribution plans, on Fidelity’s platform.