SECURITY
SECURITY
SECURITY
Fidelity Investments suffers data breach affecting nearly 80,000 customers
Financial service company Fidelity Investments has suffered a data breach with the details of nearly 80,000 customers stolen.
The data breach was disclosed in an Oct. 9 filing with the Office of the Maine Attorney General, which states that 77,099 persons were affected by the breach. It occurred on Aug. 17 but was only discovered two days later on Aug. 19.
According to a letter sent to those affected, a third party accessed and obtained certain information without authorization using two customer accounts that they had recently established. After discovering the breach on Aug. 19, Fidelity launched an investigation with the assistance of external security experts.
The types of data stolen were not disclosed other than the form letter mentioning that the data stolen involved personal information. Affected customers are being offered 24 months of free credit monitoring and identity restoration services from TransUnion Interactive.
The form of attack was also not disclosed. Although it’s difficult to say it could be one form of attack or another, given that there are no reports of Fidelity services being disrupted at around the time the data was accessed, it was most likely not ransomware.
Hinting at what may have occurred, a spokesperson for Fidelity told Bleeping Computer that the person or group behind the data breach “did not view accounts” but “viewed customer information.”
The comment from Fidelity makes the data breach sound like the attacker has exploited a vulnerability or misconfiguration, which is what Venky Raju, field chief technology officer at security provider ColorTokens Inc., believes.
“As the attackers were able to use their own accounts to access other customer accounts, it is clear that there are security misconfigurations in Fidelity’s customer-facing web applications,” Raju told SiliconANGLE via email. “This attack vector is so well-known and understood that it is ranked number one in OWASP’s Top 10 Web Application Security Risks. Attackers may have exploited this vulnerability to create new accounts at Fidelity and access other accounts.”
Sarah Jones, cyberthreat intelligence research analyst at managed detection and response company Critical Start Inc., said that “while the attackers’ specific motives remain unclear, it’s likely that information gathering was a primary objective.” She added that “this information could be used for future attacks, such as identity theft, phishing campaigns or even ransomware demands.”
Image: SiliconANGLE/Ideogram
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
