E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by Bennett Gold LLP, Chartered Accountants

Effective December 31, 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering articles from the period 1999 to 2012.


Source: The Toronto Star

Posted on May 30, 2002

      A design flaw at a Fidelity Investments online service accessible to 300,000 people allowed Canadian account holders to view other customers' account activity.

      The problem was discovered over the weekend by Ian Allen, a Fidelity customer and a computer studies teacher at Algonquin College in Ottawa.

      Fidelity said it has fixed the problem and is offering the 30 or so affected customers the option of changing account numbers.

      Allen said yesterday he tried logging on to the service Saturday after receiving his account password Friday. He requested a summary of his account and got back a Web page ending in "799.pdf."

      He then started changing numbers to see what would happen and found that he could access other accounts.

      "Sure enough, I got somebody else's mutual-fund statement," Allen said.

      He said he viewed scores of statements that contained names, addresses, account numbers and transaction histories, and then reported the flaw to Fidelity.

      "I immediately sent them off an e-mail, saying, `Your Web site's broken. Please fix it and get a new Web design team."

      Fidelity spokesperson Kimberly Flood said yesterday the company fixed the breach once it received Allen's message Monday. She said that, based on a review of Internet logs, only Allen is believed to have gained access to other accounts.

      Allen said he was surprised such a large company seems not to have validated the security of its Web site.

      "It looks like they have what I call the `mainframe mentality.' Their IT department put something up, told the executives it was secure, and it wasn't. The executives should say, `Okay, we're going to hire this other company to try to break it. If they do, you're fired.'"

      The glitch did not affect U.S. customers, nor did it permit anyone to make unauthorized transactions, Flood said.

      Fidelity shut down that portion of the Web site while it investigated the flaw, fixed the application and restored service Tuesday, Flood said. Customers were able to access their accounts through other applications on the site.

      Allen plans to stay with Fidelity.

      "I'd much rather have (investments) with a company that's been caught and is working to fix it than with someone who hasn't been caught yet, but probably should be."

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold Chartered Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.