77,000 Compromised accounts in Fidelity hack — What actually happened

CyberPunkMetalHead
3 min readOct 11, 2024

--

In August 2024, Fidelity Investments, one of the world’s largest asset management companies, with over $5.5 trillion dollars in management suffered a significant data breach affecting over 77,000 customers. Fidelity only made this public recently.

The breach occurred over two days, from August 17 to 19, when cybercriminals used two fraudulent customer accounts to gain unauthorised access to the personal information of tens of thousands of Fidelity’s users. Although no financial data was compromised, the breach exposed sensitive customer data, including names and other personal identifiers.

The breach is particularly alarming given Fidelity’s scale, with the firm managing over $5.5 trillion in assets across 11 countries. While Fidelity responded quickly, detecting the intrusion on August 19, and immediately launched an investigation with external cybersecurity experts, questions linger regarding how the attackers were able to breach their defenses using such a straightforward method.

It’s worth noting that this is not Fidelity’s first rodeo. Fidelity suffered another attack in October 2023 where the personal information of 23,000 clients was compromised as a wider attack on IMS systems.

How the Attack Took Place

The attackers exploited a vulnerability in Fidelity’s account management system by creating two customer accounts, which were then used to access the personal data of other customers. This breach points to a potential security misconfiguration within Fidelity’s customer-facing systems, which allowed these fraudulent accounts to bypass normal safeguards. This type of vulnerability is well-documented and is a common attack vector, ranked highly on the OWASP Top 10 Web Application Security Risks.

Notably, the attackers did not access customers’ financial accounts or alter any investments, but the information they acquired — such as names, addresses, and possibly social security numbers — could be used in future identity theft or phishing attacks. Despite this, Fidelity has stated there is no evidence that the stolen data has been misused so far.

Aftermath and Response

Fidelity quickly responded by offering affected customers two years of free credit monitoring and identity restoration services. In its public communications, Fidelity emphasized its commitment to safeguarding customer data and is taking steps to prevent future breaches. The company advised all customers to remain vigilant, regularly checking their financial and credit accounts for any suspicious activity.

The main issue with a data breach of this scale is that its impact is not directly measurable. The goal of a data breach export is not to directly drain a victim’s account, but rather, to steal as much valuable information as possible and sell it on the deep web.

This may consist of personal information, credit card details, social security numbers etc. This information can then be sold on the dark web to steal and create fake identities, clone credit cards and more.

Due to the nature of this attack, affect accounts must immediately change their login details, but that doesn’t guarantee their safety. If the victim’s personal information is already circulating the dark web, it may be more difficult to defend against that as an individual. However, Fidelity has promised to offer a 24/7 fraud prevention service to all affected accounts to protect against these issues by scanning the dark web for any personally identifiable information.

That’s it for today. Remember to give this article some claps (👏) if you found it insightful!

--

--

CyberPunkMetalHead
CyberPunkMetalHead

Written by CyberPunkMetalHead

x3 Top Writer and co-founder of Algo Trading Platform AESIR. I write about crypto, trading, tech and coding.

No responses yet