Close Close
ThinkAdvisor
Circuit cyberspace design created with Generative Ai technology

Regulation and Compliance > Litigation

Fidelity, BofA, Others Face New Lawsuit Over MOVEit Data Breach

X
Your article was successfully shared with the contacts you provided.

What You Need to Know

  • The MOVEit cyberattack on a file transfer tool affected hundreds of firms and millions of consumers.
  • The suit alleges defendants were negligent in maintaining consumers’ personal data.

Fidelity Investments, Bank of America, Corebridge Financial and others failed to properly secure and safeguard consumers’ private information, according to a new lawsuit arising from the massive MOVEit software data breach.

Plaintiff Frank W. Cooper, in a proposed class-action complaint filed Sept. 7 in U.S. District Court in Massachusetts, also sued F&G Annuities & Life and two other companies affected by the breach: Pension Benefit Information, which does business as PBI Research Services, and MOVEit owner Progress Software Corp.

The hack, which occurred in late May, touched hundreds of companies, including numerous financial services firms, and tens of millions of consumers worldwide, subsequently spawning multiple lawsuits.

The breach occurred when a Russian ransomware gang exploited a weakness in MOVEit, a Progress Software tool that numerous organizations use to transfer files containing sensitive data.

The attack reached many companies through PBI Research Services, which has said it uses MOVEit to help financial firms determine whether account holders are alive and find beneficiaries. PBI was one of the companies whose data the gang accessed and stole, including personal data belonging to Cooper and millions of others, the suit says.

Fidelity Investments Institutional Operations, Bank of America, Corebridge and F&G Annuities & Life entrusted tens of thousands of consumers’ personally identifiable information, including Cooper’s, to PBI and Progress Software, according to the complaint. This included names, addresses, birth dates, phone numbers and Social Security numbers, the lawsuit says.

PBI controlled Cooper’s personal data because it processes information for his retirement and annuity plans, according to the suit. In July, PBI informed Cooper and other Fidelity customers about the data breach involving MOVEit’s software, the complaint notes.

PBI notified these customers that it provides audit and address-research services for Fidelity Investments, which provides administrative services for retirement plans at Bank of America, where Cooper previously worked.

In Bank of America’s role as Cooper’s pension plan sponsor, the company provided his personal data to Fidelity and PBI, according to the complaint, which highlights the network of corporate connections that allowed the hack to reach so many organizations and consumers.

Cooper also as a deferred fixed annuity with F&G and a fixed annuity contract with Corebridge Financial, according to the suit.

The plaintiff has “suffered lost time, annoyance, interference and inconvenience because of the data breach and has anxiety and increased concerns for the loss of his privacy,” the suit contends. It says the defendants have done little to provide affected consumers with relief even though they remain at risk for identity theft and fraud for the foreseeable future.

The lawsuit claims negligence and unjust enrichment and seeks injunctive relief against all the defendants, contending they have not announced any changes to data security practices nor remedied the vulnerabilites. It also claims breach of third-party beneficiary contract against Progress Software, PBI and Fidelity.

Cooper also seeks damages in an amount to be determined.

Bank of America had no comment on the lawsuit, a company spokesman said via email Wednesday.

A spokesperson for MOVEit provided the following statement to ThinkAdvisor by email Wednesday: “We do not comment on pending litigation as our focus remains on working closely with customers so they can take the steps needed to further harden their environments, including applying the patches we have developed.”

Other defendants didn’t immediately respond to messages sent Wednesday seeking comment.

PBI, in a general statement about the attack on its website, noted that it “promptly patched its instance of MOVEit, assembled a team of cybersecurity and privacy specialists, notified federal law enforcement, and contacted impacted clients.”

When Fidelity notified affected clients in July, it noted the situation was not the result of any issues with the investment giant’s systems or any breach of Fidelity’s environment, and said it was continuing to monitor participants’ accounts for suspicious activity.

Image: Adobe Stock


NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.