Fidelity Investments has disclosed a data breach that affects 77,099 customers. This breach involves Social Security numbers, driver’s license numbers, and other personal information that criminals may use to commit fraud or identity theft.
The details here are somewhat murky. An October 9th filing with the Maine attorney general states that a bad actor gained access to “certain information” on August 17th by creating and “using” two customer accounts. Fidelity identified the threat two days later and terminated the bad actor’s access.
As for what information was stolen—well, we have to look at a separate filing that TechCrunch found on the Massachusetts state government’s website. It says that Social Security numbers, driver’s license numbers, and financial accounts were compromised in the breach. However, this filing doesn’t specify how many people’s Social Security and driver’s license numbers were stolen. (The reference to financial accounts is a bit confusing, too, as other Fidelity filings claim that user accounts were not compromised.)
“Between August 17 and August 19, a third party accessed and obtained certain information without authorization using two customer accounts that they had recently established. We detected this activity on August 19 and immediately took steps to terminate the access. An investigation was promptly launched with assistance from external security experts. The information obtained by the third party related to a small subset of our customers. Please note that this incident did not involve any access to your Fidelity account(s).”
Fidelity hasn’t explained how two customer-grade accounts gained access to 77,000 people’s private data. However, the firm states that these accounts submitted “fraudulent requests” to pull documents from an internal database—a Server-Side Request Forgery (SSRF) attack seems likely, though this is just speculation.
Affected customers began receiving breach alerts from Fidelity on October 9th. Thankfully, the firm is telling customers what data of theirs was stolen. It is also offering 24 months of credit monitoring and identity restoration services for those impacted.
This breach is unrelated to the Fidelity Investments Life Insurance leak that was disclosed in March. Approximately 28,000 customers’ names, dates of birth, Social Security numbers, credit card numbers, and banking details were lost in the Fidelity Investments Life Insurance leak due to a breach at Infosys McCamish System, a third party that builds digital platforms and services for about 40 insurance companies.
Fidelity claims that it is “not aware of any misuse” of stolen customer data related to this incident. But if this breach includes driver’s license and Social Security numbers, as the Massachusetts filing suggests, the potential for misuse is high. Affected customers can sign up for credit monitoring and identity restoration, courtesy of Fidelity, though you should also consider freezing your credit and setting up fraud alerts.
Source: Fidelity