An Article from Aaron's Article ArchiveFidelity.com Security Breach - Private Information Compromised
Photo: A Windy March SunsetIPv4You are not logged in. Click here to log in.
Use Google to search aarongifford.com:
Fidelity.com Security Breach - Private Information Compromised
Monday, 26 March 2012 1:42 PM MDT
Back in December 2011, I shared how Equifax had leaked private, personal information to persons unknown on the Internet.
Sadly, another large corporation entrusted with monetary and other assets by many people, seems to have done the same thing. That company?
Fidelity via their online web site fidelity.com.
How do I know?
As with Equifax, I had an online access account set up with them and it used a unique, never-shared-with-anyone-else, secure email address dedicated exclusively for use communicating with Fidelity.com.
Incident #1: On or Before 23 August 2011
Suddenly,out of the blue, last summer in August 2011, that address started receiving junk email from party or parties unrelated to Fidelity and my account there. The only way that could have happened was if Fidelity had leaked my private, personal information, or a third party entrusted by Fidelity with my information had leaked it.
I informed Fidelity and immediately changed my email address to a new, secure, hard-to-guess, exclusively-for-use-to-communicate-with-Fidelity address. I didn't hear back from Fidelity, but I hoped they took my alert to heart and corrected the security breach at Fidelity.
Incident #2: On or before 26 March 2012
Imagine my surprise and disillusionment when today I discovered junk mail addressed to my supposedly-secure-since-August new email address, one that only Fidelity had access to! Sorry, Fidelity, YOU BLEW IT!
That's twice you have apparently leaked my personal private information without authorization! That is highly indicative of a security breach somewhere, either directly at Fidelity.com, or with affiliated parties that provide key services to Fidelity users.
MY REQUEST TO FIDELITY:
Fidelity, please take this seriously. Please immediately investigate and track down where the leak is. Plug that leak! This is VITAL. It could be a symptom of a deeper leak of information.
Don't suppose that just because the information leaked was an e-mail address that it's okay to ignore this! Once someone knows an email address associated with a Fidelity account, that's one step closer a potential malicious thief is to stealing that account or stealing assets from it!
HOW CAN I TRUST YOU?
Fidelity, do I dare keep assets with you? Do I dare use your financial services if you can't keep my information safe, private, and secure?
UPDATE: (Message from Fidelity received 13 April 2012)
To: Aaron GiffordI'm glad they're taking this seriously.
Subject: RE: Fidelity and Spam email follow up
Date: 04/13/2012 03:05 PM EDT
Dear Mr. Gifford:
I am writing just to touch base with you, regarding the blatant Spam addressed to the email account that you have shared only with Fidelity.
Thank you for the quality of your report and the inclusion of technical detail. We want you to understand we take your concern seriously, and are investigating your report aggressively as we are equally eager to uncover the root cause.
Have a great weekend, Mr. Gifford, and thank you for being a valuable customer with us!
Dawna [Last name omitted by Aaron]
Fidelity Brokerage Services LLC, Member NYSE, SIPC