Hackers used two Fidelity accounts to steal data from 77,000 customers

Cybercriminals recently stole personal information on 77,099 consumers using two Fidelity Investments customer accounts they created posing as legitimate customers, the investing platform said in a public disclosure Wednesday.

Between August 17 and August 19, the attackers "obtained certain information without authorization using two customer accounts that they had recently established," according to Fidelity's letter to victims, which it provided to the Maine attorney general. The company detected the intrusion on August 19.

Fidelity has not publicly detailed what personal information was involved in the breach. The company was careful to point out that the breach involved access to customers' personal information, not their Fidelity accounts. In other words, the attackers did not steal any money or investments.

As is standard procedure following such data breaches, Fidelity has offered credit monitoring and identity restoration services to victims.

Fidelity did not immediately respond to a request for comment.

The incident at Fidelity disclosed this week is the second data breach affecting Fidelity customers in the past year. A data breach in November at Infosys McCamish, a financial software provider, affected 31,227 Fidelity Investments life insurance customers. Fidelity disclosed that breach, which involved a compromise at Infosys rather than Fidelity, in March.

Bank of America also disclosed that the data breach at Infosys McCamish affected 57,028 consumers whose deferred compensation accounts the bank serviced.

The latest Fidelity incident raised questions about how the attackers could use two Fidelity customer accounts to steal data from thousands of consumers and "emphasizes the need to secure internal systems as thoroughly as the external perimeter," said Ray Kelly, a fellow at cybersecurity firm BlackDuck with 18 years of experience in internet security, including at Hewlett Packard and Barracuda Networks.

According to Fidelity, the attackers created two user accounts, then used those to access the data belonging to 77,099 customers. Fidelity did not clarify whether the attack related to a vulnerability in the account creation process, or whether any user account could have been used to access other consumers' data.

While cybercriminals sometimes create accounts at an institution in the pursuit of attacking the institution, rarely do customer accounts grant attackers sufficient access to compromise other customer accounts or their data.

In an incident disclosed in August, USAA told 32,276 customers that an error — not a cyberattack — inadvertently mixed up documents between members' accounts.

"As a result of the error, some documents for members with property and casualty insurance products through USAA were inadvertently posted to another member's online account," the company told victims in a letter sent August 27.

It is unclear in that case whether one account gained access to 32,276 other consumers' information, or whether the exposures were more randomized and individual — i.e., whether individual members gained access to other individual members' accounts. USAA faces a class action lawsuit over the matter.