Fidelity Investments breaches disclosed customers' social security numbers

Fidelity Investments has disclosed a data breach affecting 77,099 customers. This breach involves Social Security numbers, driver’s license numbers and other personal information that criminals could use for fraud or identity theft.

The details are a bit unclear here. A filing with Maine’s attorney general on Oct. 9 said a malicious actor gained access to “certain information” on Aug. 17 by creating and “using” two customer accounts. Fidelity recognized the threat two days later and blocked the attacker’s access.

What What Information was stolen – well, we have to look at a separate file TechCrunch can be found on the Massachusetts state government website. It says Social Security numbers, driver’s license numbers and financial accounts were compromised in the breach. However, that file does not say how many people had their Social Security and driver’s license numbers stolen. (The reference to financial accounts is also a bit confusing, as Fidelity’s other filings claim that user accounts were not compromised.)

“Between August 17 and 19, a third party accessed and obtained certain information without authorization through two customer accounts it had recently established. We discovered this activity on August 19th and took immediate action to block access. An investigation was immediately launched.” Support from external security experts. The information received from the third party affected a small portion of our customers. Please note that this incident did not involve access to your Fidelity account(s).

Fidelity has not explained how two customer accounts gained access to the private data of 77,000 people. However, the company says these accounts made “fraudulent requests” to retrieve documents from an internal database – a server-side request forgery (SSRF) attack seems likely, although this is just speculation.

Affected customers began receiving security breach alerts from Fidelity on October 9th. Luckily the company Is Tell customers what data was stolen from them. It also offers credit monitoring and identity recovery services to those affected for 24 months.

This breach is unrelated to the Fidelity Investments life insurance leak that came to light in March. About 28,000 customer names, dates of birth, Social Security numbers, credit card numbers and banking information were lost in the Fidelity Investments life insurance leak due to a breach at Infosys McCamish System, a third-party provider that has been building digital platforms and services for about 40 insurance companies for about 20 years.

Fidelity says it is “not aware of any misuse” of stolen customer data related to this incident. However, if this violation also involves driver’s license and Social Security numbers, as the Massachusetts filing shows, the potential for abuse is high. Affected customers can enroll in credit monitoring and identity recovery, courtesy of Fidelity. However, you should also consider freezing your credit and setting up fraud alerts.

Source: Fidelity

Related Posts

Leave a Reply Cancel reply