Fidelity Says Vendor Breach Affected Over 28,000 Life Customers

FIdelity Investments sign

What You Need to Know

The LockBit attack affected only the life operations, not the mutual fund business.
The attack did not affect Fidelity Investments or Fidelity Investment Life systems.
The people affected will get 24 months of free credit morning monitoring and identity theft response services.

The LockBit ransomware group may have taken the bank account and routing numbers of thousands of Fidelity Investments Life Insurance Company customers when it hacked the systems of a Fidelity Investors Life vendor last fall.

Brian Leary, Fidelity Investments’ chief compliance officer, told officials in Maine and California about the effects of the data breach on the life subsidiary in notices filed Friday.

The LockBit group hit the computers of Infosys McCamish Systems, a company that provides information technology support for many life insurers. The McCamish systems held records for 28,268 Fidelity Investments Life policyholders when the attack occurred.

Fidelity Investment Life administration systems are separate from the parent company’s mutual fund administration systems, and the LockBit attack did not affect the mutual fund operations.

McCamish is still investigating the incident and is “unable to determine with certainty what personal information was accessed,” Fidelity Investments Life says in a letter that started going out to its policyholders Friday. “However, based on information recently provided by McCamish to [Fidelity Investments Life], we believe that the following information related to you was likely acquired by the third party: your name, Social Security number, state of residence, bank account and routing number (if you provided that information to us to make premium payments on your life insurance policy) and date of birth.”

See also  Stop Your Clients From Letting Election Fears Drive Investment Decisions

What it means: In the near future, more of your clients may be coming to you with questions about data breach notices.

In the long run, getting through online financial systems’ identity verification systems might become even more complicated.

Fidelity Investments Life: Fidelity Investments acquired its life insurance business — the former Independence Square Life Insurance Co. — in 1986, then renamed it and moved its official state of domicile to Utah, from Pennsylvania, in 1992.

The company writes term life and some other products for its parent company’s customers, and it distributes life and annuity products written by other companies. It reported $102 million in net income in 2022 on $1.7 billion in revenue and $36 billion in assets.

Infosys McCamish Systems: McCamish is part of Infosys Ltd., a Bangalore-based outsourcing company with about 300,000 employees.

McCamish itself is based in Atlanta. It reported $34 million in profits in 2022 on $462 million in revenue.

Fidelity’s life unit discloses in registration statements for its variable life funds that cyberattacks on vendors could hurt its operations and its funds.

The unit ”cannot control the cyber security plans and systems put in place by its service providers or any other third parties whose operations may affect its business,” the company warns in one of the registration statements.