Fidelity has confirmed access to an internal customer information database did occur in August. Threat actors were, according to Fidelity, able to potentially access social security numbers, drivers license information etc.. for 77,000 Fidelity members.
While Fidelity does stress several times in the statement that accounts and funds were not accessible to threat actors lets not gloss over the finer point here...with Socials and identity information how long is it before those funds are targeted?
Another interesting detail if you read between the lines of the press release is that the breach apparently occurred following the creation of two fraudulent customer accounts. How would creating a fraudulent account grant a criminal access to thousands of legitimate clients information? High quality question.....
The reason that I grabbed this story off of the stack is that it subtly highlights a disturbing trend. This breach occurred because Fidelity was employing a database to house client data that had glaring security issues. How do I know this? Am I a developer, professional hacker or security investigator? No....but I can read.
In Fidelity's own words, "unnamed third party accessed information from its systems between August 17 and August 19 using two customer accounts that they had recently established".
I don't care how technically sophisticated you are. It doesn't take a PhD to understand that setting up a customer account should NEVER accidentally allow you access to another customers information, let alone 77,000 other customers.
This wasn't some sophisticated external breach through firewalls and security measures or a spear phishing campaign. This was a flaw that was leveraged in a powerful way. Why is that significant? Fidelity has, presumably, a massive cyber security budget, regular audits and compliance regulations to adhere to. Still, this flaw was not identified....
I am not a proponent of lighting torches but companies are going to have to work harder to safeguard our privacy, much much harder.
Harden the target, Stay Vigilant!