MOVEit Hack Put Fidelity Retirement Plan Participant Data at Risk
After Progress Software disclosed a software vulnerability around May 31, PBI launched an investigation into the MOVEit vulnerability’s effect on PBI’s systems.
“Through the investigation, we learned that an unauthorized third party accessed one of our MOVEit Transfer servers … and downloaded data,” according to the message, included in the filing with the Maine AG’s office. PBI also filed the consumer notice with the California attorney general’s office.
PBI’s investigation determined the hackers could have gained unauthorized access to an affected person’s name, partial mailing address, Social Security number and birth date. The company is offering 24 months of credit monitoring and identity theft restoration services.
The affected individuals participate in workplace retirement plans across the country that Fidelity administers or for which it keeps records, the Fidelity spokesman told ThinkAdvisor.
PBI’s investigation included a comprehensive analysis to determine what information was obtained by the threat actor and which companies and individuals were affected, according to Fidelity.
“After we received notice of the incident from PBI, we suspended the data transmissions to PBI and began our own investigation. We validated the information provided by PBI, ensured proper notifications were being carried out, and ensured credit monitoring was available for all impacted individuals,” the spokesman said in an emailed statement.
”We continue to monitor participants’ accounts for suspicious activity and take the protection of client data and information very seriously and it is a top priority for Fidelity. We understand the trust that clients place in us to protect their data. Fidelity has an extensive range of safeguards and multiple layers of security in place to protect the security of our systems,” he added, citing information on the company’s security practices.
Fidelity noted that MOVEit is a managed file transfer software that many companies worldwide use in the regular course of business. The Cybersecurity and Infrastructure Security Agency has publicly reported that the “CL0P” cybercriminal group is responsible for the MOVEit Transfer incident, the firm said.
Schwab, TD Ameritrade Client Data
Meanwhile, on July 7, Charles Schwab posted a notice that TD Ameritrade has “limited use” of the eMOVEit transfer tool hit by hackers and that some client data was affected.
Schwab’s TD Ameritrade has “taken immediate action by containing the threat and halting any use of MOVEit Transfer,” the notice said. “We have also alerted and are working with law enforcement. The incident did not impact Ameritrade or Schwab’s business operations or other systems.
“The incident affected some client data. However, we believe less than 0.5% of clients may have been affected. We continue to actively investigate the incident in close consultation with independent forensic experts. We will provide more updates to clients and will communicate with them directly, as appropriate.”
Schwab and TD Ameritrade provide clients with security guarantees for losses due to unauthorized activity in their accounts, according to the notice, which directed customers to Ameritrade’s asset protection guarantee.
Image: Shutterstock