Fidelity Says Vendor Breach Affected Over 28,000 Life Customers

News March 04, 2024 at 03:05 PM
Share & Print

What You Need To Know

  • The LockBit attack affected only the life operations, not the mutual fund business.
  • The attack did not affect Fidelity Investments or Fidelity Investment Life systems.
  • The people affected will get 24 months of free credit morning monitoring and identity theft response services.
FIdelity Investments sign

The LockBit ransomware group may have taken the bank account and routing numbers of thousands of Fidelity Investments Life Insurance Company customers when it hacked the systems of a Fidelity Investors Life vendor last fall.

Brian Leary, Fidelity Investments' chief compliance officer, told officials in Maine and California about the effects of the data breach on the life subsidiary in notices filed Friday.

The LockBit group hit the computers of Infosys McCamish Systems, a company that provides information technology support for many life insurers. The McCamish systems held records for 28,268 Fidelity Investments Life policyholders when the attack occurred.

Fidelity Investment Life administration systems are separate from the parent company's mutual fund administration systems, and the LockBit attack did not affect the mutual fund operations.

McCamish is still investigating the incident and is "unable to determine with certainty what personal information was accessed," Fidelity Investments Life says in a letter that started going out to its policyholders Friday.

"However, based on information recently provided by McCamish to [Fidelity Investments Life], we believe that the following information related to you was likely acquired by the third party: your name, Social Security number, state of residence, bank account and routing number (if you provided that information to us to make premium payments on your life insurance policy) and date of birth," it explained.

What it means: In the near future, more of your clients may be coming to you with questions about data breach notices.

In the long run, getting through online financial systems' identity verification systems might become even more complicated.

Fidelity Investments Life: Fidelity Investments acquired its life insurance business — the former Independence Square Life Insurance Co. — in 1986, then renamed it and moved its official state of domicile to Utah, from Pennsylvania, in 1992.

The company writes term life and some other products for its parent company's customers, and it distributes life and annuity products written by other companies. It reported $102 million in net income in 2022 on $1.7 billion in revenue and $36 billion in assets.

Infosys McCamish Systems: McCamish is part of Infosys Ltd., a Bangalore-based outsourcing company with about 300,000 employees.

McCamish itself is based in Atlanta. It reported $34 million in profits in 2022 on $462 million in revenue.

Fidelity's life unit discloses in registration statements for its variable life funds that cyberattacks on vendors could hurt its operations and its funds.

The unit "cannot control the cyber security plans and systems put in place by its service providers or any other third parties whose operations may affect its business," the company warns in one of the registration statements.

In 2022, Fidelity Investments Life paid McCamish $719,704 for administrative services, according to the registration statement.

The LockBit attack: LockBit, a ransomware group in law enforcement that's been getting law enforcement attention since 2019, broke into IMS systems around Oct. 29, 2023.

The group announced on X, formerly Twitter, that it had taken 50 gigabytes of IMS data.

The attack has affected both life insurers that use IMS systems directly and life insurers with ties to IMS systems through administrative services vendors. In February, Bank of America and Northwestern Mutual announced that up to 80,000 of their customers were affected by the LockBit IMS attack through the impact of the attack on an executive retirement plan administrator.

Infosys said in its latest quarterly earnings report that the attack had resulted in the non-availability of some McCamish applications and systems.

"McCamish initiated its incident response and engaged cybersecurity and other specialists to assist in its investigation of and response to the incident and remediation and restoration of impacted applications and systems," Infosys said. "By Dec. 31, 2023, McCamish, with external specialists' assistance, substantially remediated and restored the affected applications and systems."

The attack has cost IMS $30 million so far, Infosys said.

The FBI and the U.K. National Crime Agency announced last week that they had seized many LockBit websites.

The Fidelity Investors Life perspective: Fidelity Investments Life said in a comment about the incident that it "has started notifying certain customers that their information may have been compromised in a cybersecurity incident that occurred at Infosys McCamish Systems, a vendor used by FILI."

"This incident is not the result of any issues with Fidelity's systems or any breach of Fidelity's environment," the company said. "We take the protection of customer information seriously and we continue to be in contact with Infosys McCamish Systems and will take appropriate actions as needed."

Remediation: Fidelity Investments Life said affected policyholders will get 24 months of credit monitoring and identity theft restoration services through TransUnion.

Credit: Shutterstock

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center