Glitch at Fidelity Canada exposes customer info

Fidelity Investments Canada Ltd. said it has corrected a problem that allowed an Ottawa college professor to access static account information of other customers last weekend.

The cause of the error, which affected 30 customers in Canada and data held on one server, is still under investigation, Fidelity spokeswoman Kimberly Flood said today. She added that the Web logs for the company’s Web site showed that no one else accessed the information. The Web site and server in question serve 17,000 customers in Canada. Fidelity customers in the U.S. were not affected. Flood said the company has offered to give the 30 customers who were affected new passwords for their accounts.

Ian Allen, a computer science professor at Algonquin College in Ottawa, brought the glitch to Fidelity Canada’s attention when he sent the company an e-mail last weekend. Allen said he received a user identification from Fidelity Canada in the mail and then went to the Web site to check on his account information. Fidelity Canada doesn’t allow online registration and sends users information for logging in to their accounts via the postal service.

“I got my paper user ID, brought up my statement and looked up at the URL. I thought that is interesting, the URL ended with ‘cache/statement799.pdf,’ ” he said. “I wondered, if they put [the account information] in the cache, how do they stop me from getting other things in the cache, and the answer is they don’t.”

Allen said he changed the nine to an eight, hit the return key and up popped someone else’s statement. He randomly changed numbers about 30 times and got a different account each time.

“They blew it completely,” Allen said. “I am somewhat surprised.”

Flood said the pages Allen accessed were static Portable Document Format pages that contained account information, such as their investment portfolios and other personal data. They were not interactive pages that could be used for transactions, such as buying stock or transferring funds, she said.

She added however, that the “cache/statement” Web address that Allen found for his account was never meant to be seen, Flood said.

Toronto-based Fidelity Canada is trying to figure out how they became visible, Flood said. “We certainly appreciate that he brought it to our attention,” Flood said.

Allen said he got a call from a vice president at Fidelity two days after he sent the e-mail. He sent the e-mail Saturday and got a reply on Monday.

He joked that he suggested that he might deserve a reward. “He laughed but didn’t say anything,” Allen said. “I don’t think I am even going to get a T-shirt out of them.”

Fidelity Canada is at

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Previous article
Next article

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now