Fidelity Investments confirms August breach affected 77K customers

Fidelity Investments sent out letters to its customers on Oct. 9 explaining it experienced a data breach in which a “third-party” stole unspecified personal information from a small subset of its customers. The incident did not involve access to Fidelity accounts.

The Boston-based financial services company said in a filing with Maine’s attorney general that the breach affected 77, 099 individuals.

In its letter to those affected, Fidelity told customers that between Aug. 17 and Aug. 19, a third-party accessed and obtained certain information without authorization using two customer accounts that they had recently established. Fidelity said they detected this on Aug. 19 and immediately took steps to terminate the access.

When asked what specific data was exposed, Fidelity would not release details, but a spokesperson offered the following statement:

“I can confirm there is no evidence or indication this was a ransomware incident. I can also confirm that no funds were taken, and to restate, accounts were not accessed.”

Sarah Jones, cyber threat intelligence research analyst at Critical Start, said while the attackers' specific motives remain unclear, it's likely that information-gathering was a primary objective. Jones said the attackers could use this information for future attacks, such as identity theft, phishing campaigns, or even ransomware demands.

“The ‘beachhead’ theory, where attackers establish a foothold to launch further attacks, is a common tactic in such incidents,” said Jones. “Although Fidelity assures customers that their accounts and funds were not directly accessed, the breach raises concerns about the security of personal information, increasing the risk of identity theft, fraud, or other malicious activities."

Jones added that cyberattacks on financial institutions often involve a combination of techniques, such as phishing, social engineering, exploiting vulnerabilities, and credential stuffing. To mitigate these risks, Jones said banks and financial institutions should prioritize robust security measures, including multi-factor authentication, encryption, and regular vulnerability assessments.

Broken access control in Fidelity web apps?

Venky Raju, Field CTO at ColorTokens, said that because the attackers used their own accounts to access other customer accounts, he believed there are security misconfigurations in Fidelity’s customer-facing web applications. Raju said this attack vector is so well-known and understood that it’s ranked No. 1 in OWASP’s Top 10 Web Application Security Risks. 

Termed “broken access control” by OWASP, Raju explained that one of the risks associated with this is permitting the viewing or editing of someone else's account by providing its unique identifier. 

“Attackers may have exploited this vulnerability to create new accounts at Fidelity and access other accounts,” Raju speculated, pointing out he addressed this topic in a LinkedIn post when he came across leaked personal information on the web.

Itzik Alvas, co-founder and CEO Entro Security, said containment of a breach is often as difficult as identifying one in the first place. Alvas said while it's great Fidelity has validated that customer funds are unaffected, the full scope of this attack will require a thorough and time-consuming investigation.

“Compromised personal information can be used to create human and non-human identities, which can further expand the scope and impact of the attack,” said Alvas.