Just over 77,000 individuals will be receiving news from Fidelity Investments that their personal information has been compromised in a data security incident.
The breach itself occurred between Aug. 17 and Aug. 19, when an unauthorized third-party gained access to two customer accounts and obtained private information. When the activity was detected on Aug. 19, access was terminated and an investigation began.
According to Fidelity’s notification letter, the incident did not involve any access to Fidelity accounts and the information obtained by the threat actors “related to a small subset of our customers.”
“While the attackers’ specific motives remain unclear, it’s likely that information gathering was a primary objective,” said Sarah Jones, cyber threat intelligence research analyst at Critical Start, in an emailed statement to Dark Reading. “The ‘beachhead’ theory, where attackers establish a foothold to launch further attacks, is a common tactic in such incidents. Although Fidelity assures customers that their accounts and funds were not directly accessed, the breach raises concerns about the security of personal information, increasing the risk of identity theft, fraud, or other malicious activities.”
Indeed, though Fidelity iterates that it is unaware of any misuse of its customers’ personal information obtained in this breach, this is the second time this year that it has faced a data breach. In March, Fidelity notified roughly 30,000 individuals that their information had been compromised in a third-party breach involving service provider Infosys McCamish (IMS).
Fidelity is providing free credit monitoring and identity restoration services for those impacted by this breach through TransUnion Interactive for 24 months.
It also encourages individuals to remain vigilant and review their financial statements often, reporting any suspicious or fraudulent activity.