Fidelity Investments experienced a data breach in August, compromising information from 77,009 individuals. According to SC US, attackers managed to exfiltrate certain customer details between August 17 and 19 by utilizing two newly created customer accounts, which were promptly disabled.
The breach notice issued by the Boston-based company did not specify the type of stolen data but clarified that it did not involve ransomware or the compromise of funds. Venky Raju, ColorTokens’ field chief technology officer, suggested that the incident may have resulted from broken access control within Fidelity’s web applications. Meanwhile, Sarah Jones, a cyber threat intelligence research analyst at Critical Start, indicated that the attackers might have primarily aimed to gather information for potential future attacks.
Jones noted, “The ‘beachhead’ theory, where attackers establish a foothold to launch further attacks, is a common tactic in such incidents. While Fidelity assures customers that their accounts and funds were not directly accessed, the breach raises concerns about the security of personal information, increasing the risk of identity theft, fraud, or other malicious activities.”
