Fidelity, BofA, Others Face New Lawsuit Over MOVEit Data Breach

What You Need to Know

The MOVEit cyberattack on a file transfer tool affected hundreds of firms and millions of consumers.
The suit alleges defendants were negligent in maintaining consumers’ personal data.

Fidelity Investments, Bank of America, Corebridge Financial and others failed to properly secure and safeguard consumers’ private information, according to a new lawsuit arising from the massive MOVEit software data breach.

Plaintiff Frank W. Cooper, in a proposed class-action complaint filed Sept. 7 in U.S. District Court in Massachusetts, also sued F&G Annuities & Life and two other companies affected by the breach: Pension Benefit Information, which does business as PBI Research Services, and MOVEit owner Progress Software Corp.

The hack, which occurred in late May, touched hundreds of companies, including numerous financial services firms, and tens of millions of consumers worldwide, subsequently spawning multiple lawsuits.

The breach occurred when a Russian ransomware gang exploited a weakness in MOVEit, a Progress Software tool that numerous organizations use to transfer files containing sensitive data.

The attack reached many companies through PBI Research Services, which has said it uses MOVEit to help financial firms determine whether account holders are alive and find beneficiaries. PBI was one of the companies whose data the gang accessed and stole, including personal data belonging to Cooper and millions of others, the suit says.

Fidelity Investments Institutional Operations, Bank of America, Corebridge and F&G Annuities & Life entrusted tens of thousands of consumers’ personally identifiable information, including Cooper’s, to PBI and Progress Software, according to the complaint. This included names, addresses, birth dates, phone numbers and Social Security numbers, the lawsuit says.

PBI controlled Cooper’s personal data because it processes information for his retirement and annuity plans, according to the suit. In July, PBI informed Cooper and other Fidelity customers about the data breach involving MOVEit’s software, the complaint notes.

PBI notified these customers that it provides audit and address-research services for Fidelity Investments, which provides administrative services for retirement plans at Bank of America, where Cooper previously worked.

In Bank of America’s role as Cooper’s pension plan sponsor, the company provided his personal data to Fidelity and PBI, according to the complaint, which highlights the network of corporate connections that allowed the hack to reach so many organizations and consumers.

Cooper also as a deferred fixed annuity with F&G and a fixed annuity contract with Corebridge Financial, according to the suit.