UC Schools Report Fraudulent Activity in Fidelity Retirement Accounts

Participants in the University of California Retirement Savings Program were informed Wednesday of several reports of fraudulent activity on the retirement accounts of program members. 

The Retirement Program Services division of the UC Office of the President announced that 120 accounts administered by Fidelity Investments at UC Davis were affected. 

Fidelity’s cybersecurity team has identified the issue, closed the vulnerability and taken steps to protect all potentially affected accounts, according to the university. 

“With regard to the UC incident, … Fidelity takes its responsibility to identify and prevent fraud seriously,” says Ted Mitchell, a vice president of corporate affairs at Fidelity. “We recently identified individuals attempting to commit fraud. We took immediate steps to address and mitigate the issue. This is isolated, and our teams have validated that it has been resolved.” 

According to an announcement from UC San Francisco, several UC schools reported to the Office of the President that users who were affected had their Fidelity account credentials changed, and attempts were then made to empty those accounts. Users have also reported receiving emails from Fidelity notifying them that their account credentials have been changed.  

Under Fidelity’s Customer Protection Guarantee, Fidelity will reimburse any losses from unauthorized account activity, provided the activity was not due to a participant’s own actions, according to the UC Davis announcement. 

Participants have been told to enable multi-factor authentication and change their Fidelity passwords, either as a precaution if they have not been notified that they were affected or as a requirement if they have been notified.  

UC Davis also informed participants to review both their UC workplace account and any personal Fidelity retail accounts, as well as to pay attention to their profile information, especially mobile numbers and emails associated with multi-factor authentication and account alerts. 

Fidelity Sued Over Separate Data Breach 

Fidelity also reported a separate data breach to the Office of the Maine Attorney General last week, confirming the personal information of 77,000 clients was exposed. From August 17 through August 19, a third party accessed and obtained client information without authorization from the company, according to the Maine AG filing. The incident did not provide any access directly to those clients’ Fidelity accounts.  

In a letter to impacted clients, Fidelity wrote that the hackers leveraged “two customer accounts that they had recently established” to gain access to information for a small subset of its customers.  

After that breach, Fidelity was sued. Two Fidelity customers, Yaakov Gluck and Seth Gluck, filed a complaint on October 10, alleging that the company failed to protect the breach victims’ personal information, causing criminals to “steal everything they possibly need to commit nearly every conceivable form of identity theft and wreak havoc on the financial and personal lives of potentially millions of individuals.” 

According to the lawsuit, the personal information taken by the hackers included Social Security numbers, financial information, names, phone numbers and addresses. 

The plaintiffs accused Fidelity of failing to implement “adequate and reasonable measures” to ensure their computer systems were protected, as well as failing to prevent and stop the breach in a timely matter.  

In Gluck et al v. Fidelity Investments, the plaintiffs are seeking actual damages, statutory damages and punitive damages, citing a breach of fiduciary duties, breach of confidence, breach of implied contract and invasion of privacy.  

Fidelity’s Mitchell declined to comment on the pending litigation.