More Than 77,000 Affected by Fidelity Investments Data Breach

Was access gained from broken access control within Fidelity's web apps?

Fidelity Investments had information from 77,009 individuals compromised following a data breach in August.

According to SC US, attackers were able to exfiltrate certain customer information between August 17th and 19th from the the US multi-national financial services firm after using two newly created customer accounts, which were immediately taken down.

A breach notice issued by the Boston-based firm did not reveal details regarding the nature of the stolen data, but the company emphasised that the incident involved neither ransomware or fund compromise.

The breach was noted by ColorTokens field chief technology officer Venky Raju to potentially have stemmed from broken access control within Fidelity's web apps, while Critical Start cyber threat intelligence research analyst Sarah Jones believes that information-gathering for future attacks may have been primarily sought by the threat actors.

"The 'beachhead' theory, where attackers establish a foothold to launch further attacks, is a common tactic in such incidents,” Jones said. “Although Fidelity assures customers that their accounts and funds were not directly accessed, the breach raises concerns about the security of personal information, increasing the risk of identity theft, fraud, or other malicious activities.”

Data Breach Published: 11 October