Pension Benefit Information LLC, operating as PBI Research Services, has disclosed a serious incident of data breach, leaving the personal information of 371,359 retirement plan participants administered by Fidelity Investments exposed to unauthorized access. This shocking revelation came to light through a regulatory filing made by PBI Research Services on Wednesday.
The breach originated in May when cybercriminals targeted the encrypted file transfer software called Moveit. This particular attack has affected numerous financial institutions, universities, the U.S. federal government, and even California public retirement systems, as confirmed by regulatory filings.
The Discovery of the Data Breach and Further Actions
PBI Research Services discovered the breach at the end of May and promptly reported it on June 2 to the Office of the Attorney General of Maine. The breach was first reported by Ignites, a reliable source for financial news.
Shortly after, on or around June 4, PBI Research Services sent a notification letter to potentially impacted customers, informing them of the incident and the potential compromise of their personal information. However, at the time of the letter, there were no reported cases of identity theft or fraud related to the breach. To mitigate the risks, PBI Research Services took the initiative to provide affected customers with 24 months of credit monitoring and identity restoration services offered by Kroll.
In a letter addressed to customers, John Bikus, the president of PBI Research Services, expressed their immediate response to the vulnerability. The company swiftly took action by patching servers, conducting thorough investigations, assessing the security of their systems, and notifying individuals who might have been associated with the affected customers. Additionally, PBI Research Services is diligently reviewing and strengthening its information security policies and procedures to prevent future incidents.
It is important to note that the breach had a limited impact, affecting only a small percentage of PBI Research Services’ clients. Furthermore, the breach did not occur within Fidelity Investments’ infrastructure. PBI Research Services, as a provider of audit and address research services for Fidelity, experienced the breach through Moveit file transfer software, which is owned by Progress Software Corp.
The letter from PBI Research Services reassured customers that Fidelity Investments has affirmed its commitment to customer protection. According to Fidelity’s customer protection guarantee, which can be found on their website, any losses resulting from unauthorized activity in covered accounts, occurring through no fault of the account holder, will be reimbursed.
Fidelity Investments has not yet responded to requests for comment regarding this data breach.
In addition to Fidelity Investments, the California Public Employees’ Retirement System and the California State Teachers Retirement System have also fallen victim to the same Moveit breach through PBI Research Services, as reported in official filings. Corebridge Financial, Genworth Financial, and Putnam Investments are among the other organizations impacted by this attack.