fidelity data loss

I got an alarming email in my work inbox this morning regarding the fact that Fidelity allowed my personal information, such as social security number, address, and salary, to be stolen. Schneier has a few things to say on this issue… First, from Public Disclosure of Personal Data Loss:

This data loss has set a new bar for reporters. Data thefts affecting 50,000 individuals will no longer be news. They won’t be reported.

How prescient. I could find nothing in Google news today regarding this theft that probably only affected US-based HP employees, which is probably on the order of 50,000 or so. (Update: turns out the real number was closer to 200,000. Nice.) Next, in Most Stolen Identities Never Used, I suppose I can find a bit of advice:

But remember, the main security value of notification requirements is the cost. By increasing the cost to companies of data thefts, the goal is for them to increase their security. (The main security value used to be the public shaming, but these breaches are now so common that the press no longer writes about them.)

Consider this my attempt at publicly shaming Fidelity (more on this later). Finally, we have Risks of Losing Portable Devices. I don’t know whether to laugh or cry, but perhaps someone at Fidelity should start reading Schneier’s blog.

Now when I joined HP, I promised not to reveal any company secrets, so I won’t post the mail that landed in my inbox today. However, I never signed any such agreement with Fidelity, which is why I don’t feel bad about posting this letter I saw when I logged onto the Fidelity site this morning.

March, 21, 2006

Dear Participants in Hewlett-Packard sponsored Retirement Plans:

Please Read This Important Notice re: Security Alert

We are writing to let you know that a laptop computer containing personally identifiable information used for a business meeting was recently stolen. We believe that identifying information about you was contained in the laptop.

Law enforcement was notified after we learned of the theft and is conducting an investigation.

At this time, we are not aware that the information contained in the laptop has been misused. Even so, we want to inform you of the situation and to suggest some steps you can take to protect yourself from identity theft now and in the future.

We deeply regret this situation and are keenly aware of how important your personal information is to you. This letter is to provide you with information you need to understand the situation and to protect yourself from misuse of your information, including identity theft.

What happened?

A laptop belonging to Fidelity Investments, which provides services to the Participants in Hewlett-Packard sponsored Retirement Plans (including current and former Hewlett-Packard employees, as well as former employees of acquired companies) (“HP Participants”), was stolen on the evening of March 15th.

The laptop contained personal data of HP Participants, including names, Social Security numbers, addresses, dates of birth, compensation and other employee retirement plan information. It is important for you to know that the license to the software which contained the data has expired. As a result, the scrambled data is difficult to interpret. We have no evidence that the information has been misused. Further, it is in a form that is generally unusable.

Allow me to interject here. What the hell was all of our data doing on a laptop? And how on earth did you then allow it to get stolen? This speaks of seriously bad computing practice to me. I’m going to sound like a naive outsider here, but it simply doesn’t make sense that important information like this is not locked down on a centrally located server, with both electronic and physical security. That you even allow a copy of the data to be made and toted about on a laptop just screams of amateur hour.

Also, this letter is dated March 21, while your laptop was stolen on March 15. Why did it take you so long to notify us?

What steps has Fidelity taken?

We have alerted our Fidelity representatives to this situation and implemented extra security processes requiring additional authentication for access to your account as well as other measures to prevent unauthorized use. Accordingly, we encourage you to be prepared to provide additional personal and/or account information to verify your identity.

We also have employed additional security controls above and beyond our already significant
monitoring activity to identify if there is any unusual activity in your Fidelity accounts.

We are contacting the three principal credit reporting bureaus, Equifax, Experian and Trans Union, to advise them of the situation.

Fidelity has also arranged for you to enroll, at your option, in a credit monitoring service at no cost to you. This service will allow you to monitor your credit as well as any unusual activity that may affect your personal financial situation, although we have no knowledge of any misuse of this information. The service is provided by Equifax, one of the major credit reporting companies that monitors activity. For details on how to enroll in this service, log on to Fidelity
NetBenefits® at https://netbenefits.fidelity.com. From the NetBenefits home page, click on the link in the News section on the right hand side of the home page. Once you have enrolled, you will be provided with several valuable services including credit monitoring, a copy of your credit report, notification of activity, additional access to your credit report, and some level of identity theft insurance for expenses. In addition, you will have access 24 hours a day, 7 days a week to Equifax’s customer service representatives.

What additional actions can you take to protect yourself?

It is always a good practice to regularly review activity on your accounts and to obtain your credit report from one or more of the national credit reporting companies. We recommend that you remain vigilant for at least the next 12 to 24 months, and to promptly report any incidents of suspected identity theft to us and to the proper authorities.

The enclosed Reference Guide will provide you more information on identify theft, how to report it and how to protect yourself.

Please know that Fidelity is treating this matter extremely seriously. We value your business and the trust you have placed in Fidelity and we deeply regret any inconvenience or concerns this may cause you.

If you have any questions or need additional information, our representatives are prepared to help you. Please call 1-800-414-4015.

Sincerely,

William G. Duserick
Vice President, Chief Privacy Officer
Fidelity Investments

Thanks William. So nice to hear that you deeply regret any inconvenience such as my identity getting stolen. Fidelity, you suck.

Update: well it finally made the news: http://biz.yahoo.com/ap/060323/fidelity_laptop_stolen.html?.v=2