Another day, another data breach. This latest one affects customers of one of the largest investment firms in the US. In a Wednesday filing with several state attorneys general, Fidelity Investments revealed that it was hit by a breach on August 17, which the firm detected on August 19. A letter sent to the 77,099 customers caught up in the breach confirmed that the attackers stole personal information related to them.
The notices to three attorneys general each disclosed different details, as spotted by TechCrunch.
Also: If you’re a Marriott customer, FTC says the breach-plagued hotel chain owes you
The notice shared with the Maine attorney general stated the date of the breach, when it was discovered, and how many people were affected. It also included a sample of the letter sent to customers. Here, Fidelity said that a third party had accessed and obtained certain information without authorization by using two customer accounts they recently set up. After detecting the activity, the company terminated access to those accounts and launched an investigation with help from outside security experts.
A data breach notice sent to New Hampshire’s attorney general said that the third party retrieved certain documents related to Fidelity customers and other individuals by submitting fraudulent requests to an internal database containing images of those documents. The compromise was limited to that one database, Fidelity said, and no customer accounts or funds were accessed. The company added that certain “remedial actions” were taken to prevent this type of breach in the future.
Also: Internet Archive breach compromises 31 million accounts – what you need to know
Next, a notice of data breaches filed with the Massachusetts attorney general disclosed that the social security numbers and driver’s licenses of Fidelity customers in the state were compromised in the incident. Yet, the notice also said that financial accounts were breached.
“While the attackers’ specific motives remain unclear, information gathering was likely a primary objective,” Sarah Jones, cyber threat intelligence research analyst at cybersecurity firm Critical Start, told ZDNET.
“This information could be used for future attacks, such as identity theft, phishing campaigns, or even ransomware demands. Although Fidelity assures customers that their accounts and funds were not directly accessed, the breach raises concerns about the security of personal information, increasing the risk of identity theft, fraud, or other malicious activities.”
Also: 1 in 4 people have experienced identity fraud – and most of them blame AI
Though Fidelity said it isn’t aware of any misuse of the data stolen in the breach, the firm is offering free credit monitoring to those affected. Customers can enroll in a free credit monitoring and identity restoration service for 24 months. Provided by TransUnion Interactive, a subsidiary of TransUnion, the service lets you monitor your credit reports for signs of any unusual activity that may indicate fraud. Customers who enroll can browse the website and use an activation code included in the letter.
Beyond trying the free credit monitoring, Fidelity customers should take other actions.
- Statement review: Review each statement for your Fidelity account and other financial accounts for signs of fraudulent activity or identity theft. Report any suspicious activity to the financial company.
- Fraud alert: Consider placing an initial fraud alert on your credit file. Good for 90 days, this tells creditors to contact you before opening or changing an account in your name. You can place this type of alert with any of the three major credit reporting agencies — Equifax, Experian, or TransUnion. Fidelity’s letter includes details on how to place the fraud alert.
- Password change: Though there’s no indication of password compromise in the breach, change your Fidelity password to be on the safe side. Make sure the password is complex so it can’t be cracked. Consider using a password manager to create and store strong passwords, especially for your financial accounts.
Ultimately, the onus is on companies like Fidelity to set up the proper security defenses to avoid breaches that directly affect their customers.
Also: Why you don’t need to pay for antivirus software anymore
“Cyberattacks on financial institutions often involve a combination of techniques, such as phishing, social engineering, exploiting vulnerabilities, and credential stuffing,” Jones said.
“To mitigate these risks, banks and financial institutions should prioritize robust security measures, including multi-factor authentication (MFA), encryption, and regular vulnerability assessments,” Jones added. “Educating employees about cybersecurity threats and best practices is vital to prevent social engineering attacks.
Also: The best VPN services: Expert tested
A comprehensive incident response plan is essential for promptly detecting and addressing security breaches. Continuous monitoring of networks and systems for suspicious activity is crucial, along with adherence to relevant industry regulations and standards to ensure data privacy and security.”