A recent lawsuit from the massive MOVEit software data breach has accused several prominent financial institutions, including Fidelity Investments, Bank of America, Corebridge Financial, and others, of failing to secure and protect consumers' private information adequately. The lawsuit, filed on September 7 in U.S. District Court in Massachusetts by plaintiff Frank W. Cooper as a proposed class-action complaint, also targets F&G Annuities & Life, Pension Benefit Information (doing business as PBI Research Services), and MOVEit's owner, Progress Software Corp.
This data breach, which occurred in late May, impacted hundreds of companies, including numerous financial service providers, and affected tens of millions of consumers worldwide, leading to multiple legal actions. The breach was executed by a Russian ransomware group exploiting a vulnerability in MOVEit, a software tool developed by Progress Software and widely used for transferring sensitive information files.
The breach significantly impacted various organizations through PBI Research Services, which utilized MOVEit to assist financial institutions in verifying the status of account holders and identifying beneficiaries. As detailed in the lawsuit, PBI itself fell victim to the cyberattack, resulting in the theft of extensive personal data belonging to Cooper and countless others.
According to the complaint, Fidelity Investments Institutional Operations, Bank of America, Corebridge, and F&G Annuities & Life entrusted the personal information of tens of thousands of consumers, including Cooper, to PBI and Progress Software. This information encompassed names, addresses, birthdates, phone numbers, and Social Security numbers.
The suit asserts that PBI held Cooper's data because it processed information related to his retirement and annuity plans. In July, PBI notified Cooper and other Fidelity customers about the data breach involving MOVEit's software.
The lawsuit underscores the intricate network of corporate connections that allowed the breach to affect numerous organizations and individuals. It highlights that as Cooper's pension plan sponsor, Bank of America shared his data with Fidelity and PBI.
The complaint also points out that Cooper holds deferred fixed annuities with F&G and a fixed annuity contract with Corebridge Financial.
As a result of the breach, the plaintiff claims to have experienced lost time, annoyance, interference, and inconvenience, along with heightened concerns about the loss of privacy. The lawsuit alleges that the defendants have taken insufficient measures to alleviate the situation, leaving affected consumers vulnerable to identity theft and fraud.
The legal action includes claims of negligence and unjust enrichment. It seeks injunctive relief against all defendants, asserting that they have not implemented any changes to enhance data security practices or address vulnerabilities. Additionally, the lawsuit alleges a breach of a third-party beneficiary contract involving Progress Software, PBI, and Fidelity.
Cooper is also pursuing damages, the amount of which will be determined at a later stage.
Bank of America declined to comment on the lawsuit, as stated by a company spokesperson. MOVEit provided a statement emphasizing its focus on collaborating with customers to enhance security measures.
Other defendants mentioned in the lawsuit did not respond immediately to comment inquiries.
In a general statement on its website regarding the attack, PBI mentioned that it had promptly patched its MOVEit instance, engaged cybersecurity and privacy experts, informed federal law enforcement, and reached out to affected clients.
When notifying impacted clients in July, Fidelity clarified that the situation did not result from any issues with the company's systems or any breach within its environment. They assured clients that they were actively monitoring accounts for suspicious activity.
A version of this post originally appeared at https://www.thinkadvisor.com/2023/09/14/fidelity-bofa-others-face-new-lawsuit-over-moveit-data-breach/
