Fidelity Investments breaches the Social Security numbers of exposed clients

Fidelity Investments has disclosed a data breach affecting 77,099 customers. This breach includes Social Security numbers, driver’s license numbers and other personal information that criminals can use to commit fraud or identity theft.

The details here are a bit murky. An Oct. 9 filing with the Maine attorney general claims a bad actor gained access to “certain information” on Aug. 17 by creating and “using” two customer accounts. Fidelity identified the threat two days later and terminated the bad actor’s access.

As for what the information was stolen, well, we have to look at a separate file TechCrunch is on the Massachusetts State Government website. It says Social Security numbers, driver’s license numbers and financial accounts were compromised in the breach. However, this filing does not specify how many people had their Social Security and driver’s license numbers stolen. (The reference to financial accounts is also somewhat confusing, as other Fidelity documents state that user accounts were not compromised.)

“Between August 17th and August 19th, a third party accessed and obtained certain information without authorization using two customer accounts they had recently established. We detected this activity on August 19th and immediately took action to cancel access. An investigation was immediately initiated with the assistance of external security experts. The information obtained by the third party is related to a small subset of our customers. Please note that no access was involved to your Fidelity accounts.

Fidelity has not explained how two quality customer accounts gained access to the private data of 77,000 people. However, the company claims that these accounts submitted “fraudulent requests” to extract documents from an internal database – a server-side request forgery (SSRF) attack seems likely, although that this is only speculation.

Affected customers began receiving breach alerts from Fidelity on October 9. Luckily, the firm is tell customers which of their data was stolen. It also offers 24 months of credit monitoring and identity restoration services for those affected.

This breach is unrelated to the Fidelity Investments life insurance leak that was disclosed in March. Approximately 28,000 customer names, dates of birth, Social Security numbers, credit card numbers and bank details were lost in the Fidelity Investments life insurance breach due to a breach of the Infosys McCamish system , a third party that builds digital platforms and services for approximately 40 insurance companies.

Fidelity says it is “not aware of any misuse” of stolen customer data related to this incident. But if that breach includes driver’s license and Social Security numbers, as the Massachusetts filing suggests, the potential for misuse is high. Affected customers can sign up for credit monitoring and identity restoration, courtesy of Fidelity, though you should also consider freezing your credit and setting up fraud alerts.

Source: Fidelity

Related Posts

Planet Wissen | ARD alpha | they televise

“Martin Lewis’ advice saved me £286 on my household bill in 30 minutes” | Personal Finance | finance

The Oscar-winning actress breaks down as she talks about her late co-star. ‘I am full of pain’.