Fidelity Investments, a huge Asset Management company and insurer in the US, have reportedly been breached with the personal data of more than 77000 customers. Fidelity Investments manages about $4.9 trillion of assets and ranks amongst the top 5 in the financial sector.
In a note to its impacted customers, Fidelity has informed them that their personal details have been accessed with Authorization. In the period between 17th and 19th August, a third party used two of its accounts to access the personal information of about 77000 Fidelity customers without Authorization. Though Fidelity has not given any insight into what personal information got leaked, it is expected to include email address, name, residential address and contact information at the minimum. The sensitivity of exposed details was enough to warrant a safety precaution against identity-impacting attacks. Fidelity said it will provide a free-of-charge option to enroll in a credit monitoring or identity restoration service for 24 months.
In response to the incident, Fidelity immediately revoked the two accounts that were used to access the unauthorized customer accounts. However, the responsibility for the security lapse lies with Fidelity as it clearly highlights the poor security practices in handling customer data to keep it safe against such naïve authorization bypass attacks. This time, the attackers could only breach a small subset of a huge customer base, but Fidelity should learn from this breach and put their systems and infrastructure to rigorous Penetration test so that they can improve the overall security posture of their systems.
