Case 1 - The Facts:
I have had large Fidelity accounts since 1975. Since I have my own domain I can easily give unique email addresses to organizations that I deal with. A few years ago I gave Fidelity a unique email address that has been used nowhere else and has appeared nowhere else.
On June 6, 2010 I started receiving daily financial related spam emails to the email address that only Fidelity had. The emails were from flagcuffs.info and directed the reader to a website with that domain name.
I reported this to Fidelity, spoke with their Electronic Support "Specialist," and sent him copies of the emails. The emails stopped after about two weeks. I assume Fidelity clicked an the "unsubscribe" link in the spam email on my behalf.
I have since found another Fidelity customer that started receiving similar emails at about the same time.
About a month later I sent an email to the "Specialist" enquiring into the status of the investigation into this problem. I received no response, sent the email again and still no response. Some time after that I was talking to a Fidelity customer rep on another matter and told him of the security breach I was concerned about, gave him the "Specialist's" name, and asked to have the "Specialist" call me and bring me up to date on Fidelity's investigation of this matter. I received no call back from anyone.
Possible explanations:
[a] - Some staff person at Fidelity sold the Fidelity customer email list to that spammer.
[b] - The spammer managed to break into the Fidelity database and downloaded customer email addresses.
I hope its [a] and not [b]. In either case Fidelity needs to take security more seriously, impose stricter limits and controls on internal access to its databases, and, if it is case [b] provide better protection of its database against external access.
From my perspective, they also need to be responsive to their customers' inquiries and need to provide a mechanism for customers to contact them by email.
Case 2 - The Facts:
I changed my email address and now the new address appears to have been compromised. On October 27 (2010) I received an email to the new address form "tns-online.com" purporting to be conducting a survey on behalf of Fidelity. The email looked very professional and appeared to be legitimate, but then that's true for all good phishing campaigns. TNS appears to be a large company headquartered in the UK and the email headers appeared to indicated that the email came from the UK. Also some of the wording had a slight hint that it was not written by a U.S. English speaking person.
So apparently Fidelity customer emails were given out to a foreign, outside, company either by Fidelity (I hope not) or they were provided by a hacker. However it gets worse. If you click on a link in the email you go into the survey. But if you "mistype" the link you get a page that requests your account login and password. So if Fidelity actually authorized this survey then they also gave the outside, foreign company the Fidelity customers' logins and passwords.
I called the contact phone number given on Fidelity's security page and described all the above. I was told to send the email to "soc.phishing at fidelity.com" which I did. I never got a response.
As a result I am in the process of moving our funds, about $1M, out of Fidelity. They make the process tortuous.* It's a relief to be getting out of Fidelity.
Case 3 - The Facts:
The security breach here is that they faxed two sets of forms, and more to come, with my social security number, in 18 point font at the top of the fax. There is no security on faxes, so my SS number is out there for any hacker to see, especially since the fax is an "eFax." They refuse to email the forms because it's not secure, yet they post all the data on a totally no security fax.
Return to P. Turula HOME page.