Financial service company Fidelity Investments has suffered a data breach with the details of nearly 80,000 customers stolen.
The data breach was disclosed in an Oct. 9 filing with the Office of the Maine Attorney General, which states that 77,099 persons were affected by the breach. It occurred on Aug. 17 but was only discovered two days later on Aug. 19.
According to a letter sent to those affected, a third party accessed and obtained certain information without authorization using two customer accounts that they had recently established. After discovering the breach on Aug. 19, Fidelity launched an investigation with the assistance of external security experts.
The types of data stolen were not disclosed other than the form letter mentioning that the data stolen involved personal information. Affected customers are being offered 24 months of free credit monitoring and identity restoration services from TransUnion Interactive.
The form of attack was also not disclosed. Although it’s difficult to say it could be one form of attack or another, given that there are no reports of Fidelity services being disrupted at around the time the data was accessed, it was most likely not ransomware.
Hinting at what may have occurred, a spokesperson for Fidelity told Bleeping Computer that the person or group behind the data breach “did not view accounts” but “viewed customer information.”
The comment from Fidelity makes the data breach sound like the attacker has exploited a vulnerability or misconfiguration, which is what Venky Raju, field chief technology officer at security provider ColorTokens Inc., believes.
“As the attackers were able to use their own accounts to access other customer accounts, it is clear that there are security misconfigurations in Fidelity’s customer-facing web applications,” Raju told SiliconANGLE via email. “This attack vector is so well-known and understood that it is ranked number one in OWASP’s Top 10 Web Application Security Risks. Attackers may have exploited this vulnerability to create new accounts at Fidelity and access other accounts.”
Sarah Jones, cyberthreat intelligence research analyst at managed detection and response company Critical Start Inc., said that “while the attackers’ specific motives remain unclear, it’s likely that information gathering was a primary objective.” She added that “this information could be used for future attacks, such as identity theft, phishing campaigns or even ransomware demands.”