Cyber Incident Victim: Fidelity Investments

On or around May 29, 2023, an external system breach occurred at Pension Benefit Information, LLC (PBI), a commercial entity based at 333 South Seventh Street, Suite 2400, Minneapolis, MN, 55402. The breach, which was a hacking incident, continued through May 30, 2023. The specific technical nature of the attack, including the attack vectors or methods used by the threat actors to gain unauthorized access to PBI's systems, was not detailed in the available notification. The intrusion was not discovered immediately; instead, it was identified several days later on June 2, 2023. The discovery initiated the organization's incident response protocols to assess the scope and impact of the unauthorized access.

The investigation into the breach determined that the acquired information involved personal identifiers. The compromised data consisted of names in combination with Social Security Numbers. This specific combination of personal information is highly sensitive and is classified as personally identifiable information (PII) that can be used for identity theft and financial fraud. The investigation concluded that no other types of personal or financial data, such as driver's license numbers, financial account information, or medical records, were acquired as part of this particular security incident. The focus was solely on names and Social Security Numbers.

The total number of individuals affected by this data breach was substantial, impacting 371,359 persons. This figure represented the total number of affected individuals across all jurisdictions, not limited to a single state. Among this larger population, the number of affected Maine residents was specifically identified as 1,912 individuals. Because the number of affected Maine residents exceeded 1,000, Pension Benefit Information, LLC fulfilled its statutory obligation by notifying the relevant consumer reporting agencies of the security event. This step is part of standard breach notification procedures required under various state laws when a breach reaches a certain threshold.

The entity responsible for submitting the breach notification to the Maine Attorney General's office was Maureen Sheehan, who held the position of General Counsel for PBI. Her contact information, including a telephone number and email address, was provided in the official filing. The submission was made on behalf of Pension Benefit Information, LLC, and she was identified as having a direct relationship to the entity whose information was compromised. The filing was categorized under the type of organization "Other Commercial," indicating PBI's commercial business nature.

The method of notification to the affected consumers was chosen as written notification. The company planned to dispatch these written notices to all individuals whose personal information was involved in the breach. The scheduled date for this consumer notification was set for July 12, 2023. This date fell over a month after the discovery of the breach on June 2, which is a common timeframe allowing for a complete investigation to determine the full scope and for the preparation and coordination of mass mailing efforts. A copy of the intended notice for Maine residents, titled "Notice of Data Event - PBI - ME.pdf," was included with the submission to the state authority.

As part of its response to mitigate potential harm to the affected individuals, Pension Benefit Information, LLC offered to provide identity theft protection services. The offer was made to all 371,359 affected persons. The protection services included 24 months of credit monitoring and identity theft restoration services. These services were to be provided through the firm Kroll, a well-known provider of risk and financial advisory solutions, including cybersecurity and data breach response services. The credit monitoring service would help individuals detect any suspicious activity related to their credit files, while the identity theft restoration service would provide support in the event that an individual needed to recover from identity theft.

The breach was reported to the Maine Attorney General's office through its online portal dedicated to data security breaches. This portal is part of the state's Consumer Protection division, which handles privacy, identity theft, and data security breach matters. The public listing of the breach serves as an official record and provides transparency to residents. The incident was listed among other data breach notifications received by the state. The filing confirmed that there were no previous breach notifications submitted by Pension Benefit Information, LLC within the twelve months preceding this event, indicating this was a standalone incident for the company during that recent period.

The compromise of Social Security numbers alongside names represents a significant risk to the affected individuals, as this data can be exploited for a wide array of fraudulent activities. Such activities include the filing of fraudulent tax returns, opening new lines of credit, obtaining loans, or accessing other benefits in the victim's name. The offering of two years of credit monitoring and identity restoration services is a standard remedial measure intended to provide a safety net for those whose information was exposed. The duration of 24 months is a common offering in the industry for breaches involving highly sensitive information like Social Security numbers.

The operational impact on Pension Benefit Information, LLC involved the execution of its incident response plan, which included forensic investigation to determine the breach's cause and scope, internal reporting, and coordination with external partners like Kroll for the provision of protection services. The company also engaged with regulatory bodies, as evidenced by the filing with the Maine Attorney General, to comply with state breach notification laws. The legal and administrative efforts required to manage the notification process for over 370,000 individuals were a substantial undertaking, involving the preparation and mailing of a high volume of physical letters and the establishment of support channels for affected consumers to ask questions or enroll in the offered services. The focus of the public response was on transparency and providing a means for individuals to protect themselves following the exposure of their personal data.