Fidelity Investments customer email database compromised

Apparent data breach and other security problems with Fidelity

Case 1 - The Facts:

I have had large Fidelity accounts since 1975.  Since I have my own domain I can easily give unique email addresses to organizations that I deal with.  A few years ago I gave Fidelity a unique email address that has been used nowhere else and has appeared nowhere else.

On June 6, 2010  I started receiving daily financial related spam emails to the email address that only Fidelity had.  The emails were from  flagcuffs.info  and directed the reader to a website with that domain name.

I reported this to Fidelity, spoke with their Electronic Support "Specialist," and sent him copies of the emails.  The emails stopped after about two weeks.  I  assume Fidelity clicked an the "unsubscribe" link in the spam email on my behalf.

I have since found another Fidelity customer that started receiving similar emails at about the same time.


About a month later I sent an email to the "Specialist" enquiring into the status of the investigation into this problem.  I  received no response, sent the email again and still no response.  Some time after that I  was talking to a Fidelity customer rep on another matter and told him of the security breach I  was concerned about, gave him the "Specialist's" name, and asked to have the "Specialist" call me and bring me up to date on Fidelity's investigation of this matter.  I  received no call back from anyone.


Possible explanations:

[a] - Some staff person at Fidelity sold the Fidelity customer email list to that spammer.

[b] - The spammer managed to break into the Fidelity database and downloaded customer email addresses.

I hope its [a] and not [b].  In either case Fidelity needs to take security more seriously, impose stricter limits and controls on internal access to its databases, and, if it is case [b] provide better protection of its database against external access.

From my perspective, they also need to be responsive to their customers' inquiries and need to provide a mechanism for customers to contact them by email.

Case 2 - The Facts:

I changed my email address and now the new address appears to have been compromised.  On October 27 (2010)  I received an email to the new address form  "tns-online.com"  purporting to be conducting a survey on behalf of Fidelity.  The email looked very professional and appeared to be legitimate, but then that's true for all good phishing campaigns.  TNS appears to be a large company headquartered in the UK and the email headers appeared to indicated that the email came from the UK.  Also some of the wording had a slight hint that it was not written by a U.S. English speaking person.

So apparently Fidelity customer emails were given out to a foreign, outside, company either by Fidelity (I hope not) or they were provided by a hacker.  However it gets worse.  If you click on a link in the email you go into the survey.  But if you "mistype" the link you get a page that requests your account login and password.  So if Fidelity actually authorized this survey then they also gave the outside, foreign company the Fidelity customers' logins and passwords.

I called the contact phone number given on Fidelity's security page and described all the above.  I was told to send the email to  "soc.phishing at fidelity.com"  which I  did.  I never got a response.

As a result I am in the process of moving our funds, about $1M, out of Fidelity.  They make the process tortuous.*  It's a relief to be getting out of Fidelity.

Case 3 - The Facts:

The security breach here is that they faxed two sets of forms, and more to come, with my social security number, in 18 point font at the top of the fax.  There is no security on faxes, so my SS number is out there for any hacker to see, especially since the fax is an  "eFax."  They refuse to email the forms because it's not secure, yet they post all the data on a totally no security fax.


*
-- I've talked to a dozen people at Fidelity so far and am nowhere near half way through.  And it's a different person every time, with a different set of requirements.  BTW, only one expressed any interest in why I'm closing the accounts.
-- Friday Nov. 19:  Fidelity will close my accounts today, but they can't send the check out today - it will be the next busines day - Monday. - I  "should"  get it the third day - may be too late for my overnight pickup - so it goes to the next financial institution the fourth day and they get it on the fifth.  So the money is in limbo for four days.  I can pay my village water bill instantly electronically;  I can transfer money from by broker to my bank instantly;  but Fidelity has to have 4 days to send almost of a million dollars to another retirement fund manager - they can't do it electronically.
-- Fidelity just added two more days to the time the funds will be uninvested. They send the check by  "overnight"  but not what everybody assumes "overnight" means.  They use  UPS  "NEXT DAY AIR SAVER"  which is delivery by midnight the next day, not 10 AM as most overnight deliveries provide.  They save $2.50 ! and it could cost their customer $20,000 in an up-market day.  My funds were withdrawn from the Fidelity account in Nov. 19.  They can't be reinvested till Nov. 29!  How's that for timely service.
-- Monday Nov. 22:  Fidelity can't change shipment to overnight.  They did change it to  "intercept"  so I could get it at the UPS Hub on Tuesday Morning - or so they told me.  Tuseday I drove to the UPS Hub.  No package - they don't take it off the truck till  "AFTER"  the truck returns from the day's deliveries - after 6 PM !  That means I drive back and pick up the check Wednesday morning.

Return to P. Turula  HOME  page.