What happened in the Fidelity Investments data breach?

Between August 17 and 19, 2024, Fidelity Investments experienced a data breach that exposed personal information of 77,099 customers. The breach was detected on August 19, 2024, after unauthorized activity was discovered involving two newly created customer accounts that enabled broader access to sensitive data.

What type of data was exposed in the Fidelity data breach?

The exposed data includes Social Security numbers, driver's license information, and customer names and surnames. Fidelity has confirmed that no access was gained to customers' investment accounts or funds during the incident.

How did the attackers gain access to the customer data?

The attackers used two newly created customer accounts to access a broader set of customer data through fraudulent requests. While details are not fully clear, it is suspected that an IDOR (Insecure Direct Object Reference) vulnerability may have been exploited, allowing the attackers to access unauthorized data.

What is an IDOR vulnerability?

An IDOR (Insecure Direct Object Reference) vulnerability occurs when an application allows users to access objects like database records directly by manipulating an identifier (such as a URL parameter) without proper access controls. This can lead to unauthorized access to sensitive data if exploited.

What actions has Fidelity taken in response to the breach?

Fidelity Investments terminated the unauthorized access immediately upon discovery and initiated an investigation with external cybersecurity experts. They are offering two years of free credit monitoring and identity restoration services through TransUnion to affected individuals.

What should affected Fidelity customers do to protect themselves?

Affected customers are advised to enroll in the free credit monitoring service provided by Fidelity through TransUnion. They should remain vigilant for signs of identity theft and monitor their credit reports for any unusual activity.

Incident

Fidelity Investments reports data breach exposing personal data of 77K customers

published: Oct. 10, 2024

Learn More

Fidelity Investments is reporting a data breach that exposed personal information of 77,099 customers between August 17 and 19, 2024. The Boston-based financial services company discovered the unauthorized activity on August 19, when a third party accessed sensitive data through two newly created customer accounts.

The attack was executed using two customer accounts established by the attackers, which enabled access to a broader set of customer data through fraudulent requests. Details on how these accounts facilitated the broader data access remain unclear, but it seems that an IDOR vulnerability is quite probable.

An IDOR (Insecure Direct Object Reference) flaw occurs when an application allows a user to access objects (like database records or files) directly by providing an identifier (e.g., a URL parameter) without proper access control, allowing attackers to manipulate the identifier to access unauthorized dat

The company responded by terminating the unauthorized access and launching an investigation with the help of external cybersecurity experts.

The exposed data includes:

Social Security numbers
driver’s license information
names and surnames

Fidelity claims that no access was gained to customers' investment accounts or funds during the incident. Fidelity is offering two years of free credit monitoring and identity restoration services through TransUnion for affected individuals, urging them to stay vigilant against potential identity theft.

Fidelity Investments reports data breach exposing personal data of 77K customers

Read More
City of Helsinki reports data breach of its …
Truist Bank reports data breach caused by third …
Appalachian Community Federal Credit Union hit by cyberattack …
Korean job platform Albamon exposes over 22K resume …
FIA Driver categorisation website vulnerability exposes data of …