Fidelity Latest Victim of MOVEit Hacks via Vendor PBI

Pension Benefit Information LLC, operating as PBI Research Services, reported in a regulatory filing Wednesday that the personal information of 371,359 participants in retirement plans administered by Fidelity Investments had been exposed in a data breach.

The breach stemmed from a May attack on the encrypted file transfer software MOVEit and has hit financial firms, universities, the U.S. federal government and California public retirement systems, according to regulatory filings.

The PBI data breach occurred at the end of May and was discovered on June 2, according to PBI’s filing with the Office of the Attorney of General of Maine. Ignites first reported the breach.

On or around June 4, the firm sent a letter to potentially impacted customers noting that some of their personal information may have been stolen, but that the firm was not aware of an identity theft or fraud. PBI also provided customers with 24 months of credit monitoring and identity restoration from Kroll.

“Upon learning about this vulnerability, we promptly took steps to patch servers, investigate, assess the security of our systems, and notify potentially affected customers and individuals associated with those customers,” John Bikus, the president of PBI, wrote in the letter. “In response to this event, we are also reviewing and enhancing our information security policies and procedures.”

PBI noted to customers that the breach impacted a “small percentage” of clients and that there was no breach at Fidelity. Rather, PBI “provides audit and address research services” for Fidelity, and the breach occurred via MOVEit file transfer, an encryption and file moving software owned by Progress Software Corp.

The letter noted that Fidelity had indicated accounts will continue to be covered by the recordkeeper’s customer protection guarantee. That guarantee notes on Fidelity’s website that the firm “will reimburse you for losses from unauthorized activity in your Covered Accounts occurring through no fault of your own.”

Fidelity did not immediately respond to request for comment on the breach.

The California Public Employees’ Retirement System and the California State Teachers Retirement System were hit by the same MOVEit breach via PBI, according to filings. Other organizations impacted by the attack include Corebridge Financial, Genworth Financial and Putnam Investments.