First BofA, Now Fidelity: Same Vendor Behind Third-Party Breaches

Fidelity Investments Life Insurance Company (FILI) is notifying nearly 30,000 affected individuals of a third-party data breach that has compromised their information.

According to a notice filed with the state of Maine, third-party service provider Infosys McCamish (IMS) notified Fidelity in November about a "cybersecurity event" that disrupted its services. After an investigation alongside a third-party firm, IMS discovered that its systems were breached between Oct. 29 and Nov. 2. The unauthorized actor also was able to obtain data stored on those systems.

In its notice to 28,268 individuals, Fidelity reports that IMS is unable to determine what sensitive information was accessed in the breach, but based on the information IMS has provided it's likely that it included individual names, Social Security numbers, states of residence, bank account and routing numbers, and dates of birth. 

This is the second time this year alone that a company has had to tell customers that their data was compromised in a third-party breach in connection with IMS. Last month, Bank of America faced a breach after IMS experienced a ransomware attack, compromising the data of over 57,000 customers. The data accessed in that breach was of similar material that was compromised for Fidelity merchants. It's unclear whether the IMS woes tie back to the same cyber incident.

"Third-party security breaches continue to increase in frequency and impact. Enterprises are highly reliant on third-party service providers, who are now often the easiest vector into an enterprises most critical data," Jeff Margolies, chief product and strategy officer Saviynt, said in an emailed statement. "Enterprises need to improve their capabilities to manage and govern their third-party access as part of their identity-security programs."

As Fidelity continues to review its records of affected individuals and engage with IMS regarding the breach, it offers 24 months of credit monitoring through TransUnion Interactive. It said that merchants should personally review their financial statements and credit reports, and report any fraudulent or suspicious activity to authorities.