Glitch at Fidelity Canada exposes customer info

Fidelity Investments Canada Ltd. said it has corrected a problem that allowed an Ottawa college professor to access static account information of other customers last weekend.

The cause of the error, which affected 30 customers in Canada and data held on one server, is still under investigation, Fidelity spokeswoman Kimberly Flood said today. She added that the Web logs for the company’s Web site showed that no one else accessed the information. The Web site and server in question serve 17,000 customers in Canada. Fidelity customers in the U.S. were not affected. Flood said the company has offered to give the 30 customers who were affected new passwords for their accounts.

Ian Allen, a computer science professor at Algonquin College in Ottawa, brought the glitch to Fidelity Canada’s attention when he sent the company an e-mail last weekend. Allen said he received a user identification from Fidelity Canada in the mail and then went to the Web site to check on his account information. Fidelity Canada doesn’t allow online registration and sends users information for logging in to their accounts via the postal service.

“I got my paper user ID, brought up my statement and looked up at the URL. I thought that is interesting, the URL ended with ‘cache/statement799.pdf,’ ” he said. “I wondered, if they put [the account information] in the cache, how do they stop me from getting other things in the cache, and the answer is they don’t.”

Allen said he changed the nine to an eight, hit the return key and up popped someone else’s statement. He randomly changed numbers about 30 times and got a different account each time.

“They blew it completely,” Allen said. “I am somewhat surprised.”

Flood said the pages Allen accessed were static Portable Document Format pages that contained account information, such as their investment portfolios and other personal data. They were not interactive pages that could be used for transactions, such as buying stock or transferring funds, she said.

She added however, that the “cache/statement” Web address that Allen found for his account was never meant to be seen, Flood said.

Toronto-based Fidelity Canada is trying to figure out how they became visible, Flood said. “We certainly appreciate that he brought it to our attention,” Flood said.

Allen said he got a call from a vice president at Fidelity two days after he sent the e-mail. He sent the e-mail Saturday and got a reply on Monday.

He joked that he suggested that he might deserve a reward. “He laughed but didn’t say anything,” Allen said. “I don’t think I am even going to get a T-shirt out of them.”

Fidelity Canada is at